3f44ddf7b8cb6b5a145f635d5c5316f08351a99b60bd53a915ec6cf6b587c314

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4235680f091bbca80266f80bffb290c4.exe
Size

47KB
MD5

4235680f091bbca80266f80bffb290c4
SHA1

a52b1fd61a6dae0c782ebafc69023fcca1f3023d
SHA256

3f44ddf7b8cb6b5a145f635d5c5316f08351a99b60bd53a915ec6cf6b587c314
SHA512

f22680925f0a5eaaa1d30614c0d5a9239bae133178322cf7435c44b1ccdd4389f27f6764f3d07f2d0fcf124dee0a3d773e97f0283bd6e2dd6ace74706a6380b7
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxm:24Bobv7aB0EooYEC3rUVcYm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	zbhnd.exe

Loads dropped DLL 1 IoCs

pid	Process
2864	4235680f091bbca80266f80bffb290c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2980	2864	4235680f091bbca80266f80bffb290c4.exe	16
PID 2864 wrote to memory of 2980	2864	4235680f091bbca80266f80bffb290c4.exe	16
PID 2864 wrote to memory of 2980	2864	4235680f091bbca80266f80bffb290c4.exe	16
PID 2864 wrote to memory of 2980	2864	4235680f091bbca80266f80bffb290c4.exe	16

C:\Users\Admin\AppData\Local\Temp\4235680f091bbca80266f80bffb290c4.exe
"C:\Users\Admin\AppData\Local\Temp\4235680f091bbca80266f80bffb290c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
47KB

MD5
b9f246a9ad10110a93fcbab658f2a81d

SHA1
1873164bcc6a36d66b9712f43d323b0209c7cc16

SHA256
8a4e2c9fc6eb78a4a9e8c998f29f8564f5c2f5607f91bb4f942adda8a372f9fb

SHA512
037fc5b9b36c66646cb48f4acd250147ce494bb0798026541e1462568b8164a473fbdf0665903252cc53e3958b109d0ffa793d043093e408cb515580b156775f

Download Submit
memory/2864-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download