3f6143b8a806a1839aa264f750403aef8c48158b88d706b5933af94abaa8fe68

Analysis

max time kernel
2s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3fb06986b447a609dfdf2e310061fbea.exe
Size

2.0MB
MD5

3fb06986b447a609dfdf2e310061fbea
SHA1

96ea2d46158b5ecde556decc21ea5dfe1a58a4a4
SHA256

3f6143b8a806a1839aa264f750403aef8c48158b88d706b5933af94abaa8fe68
SHA512

c4caa69aac5b7ac08715ca3f71afa1bfb0f2b2facd904315c3154cf5265cb6754889898cf88eb6902880265bba80ae27d55854155988129ee71f841ff4a0f465
SSDEEP

49152:OFUcx88PWPOpX0SF1f9/JhJ+FFx3xB65WWLXHHNHACQyGc:O+K88uPCHXf9/Jh4l3xB693ZkyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	A4D.tmp

Loads dropped DLL 1 IoCs

pid	Process
2168	3fb06986b447a609dfdf2e310061fbea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2728	A4D.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2728	2168	3fb06986b447a609dfdf2e310061fbea.exe	19
PID 2168 wrote to memory of 2728	2168	3fb06986b447a609dfdf2e310061fbea.exe	19
PID 2168 wrote to memory of 2728	2168	3fb06986b447a609dfdf2e310061fbea.exe	19
PID 2168 wrote to memory of 2728	2168	3fb06986b447a609dfdf2e310061fbea.exe	19
PID 2728 wrote to memory of 2672	2728	A4D.tmp	30
PID 2728 wrote to memory of 2672	2728	A4D.tmp	30
PID 2728 wrote to memory of 2672	2728	A4D.tmp	30
PID 2728 wrote to memory of 2672	2728	A4D.tmp	30

C:\Users\Admin\AppData\Local\Temp\3fb06986b447a609dfdf2e310061fbea.exe
"C:\Users\Admin\AppData\Local\Temp\3fb06986b447a609dfdf2e310061fbea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\A4D.tmp
  "C:\Users\Admin\AppData\Local\Temp\A4D.tmp" --splashC:\Users\Admin\AppData\Local\Temp\3fb06986b447a609dfdf2e310061fbea.exe EB0BDFC52863A33D891D777D39613CC2B3208160960216BF989C71F4BA8BEC9E9283DF484CE974E3DA9273B6E5011AD1F29D3AA29B09AED9AF09FF65AEDF0A45
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3fb06986b447a609dfdf2e310061fbea.docx"
    3⤵
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A4D.tmp

Filesize
95KB

MD5
cc3ec6d38fa9f93327b9667f8eab91d9

SHA1
1cef4045749f60a6b7ed8f20180bc9783f5a2155

SHA256
80d7cebf6bcb2011f438d94fbf5a776893dbcb0ed16a579dbbd5cb67ad1eb419

SHA512
645e72c1223e29ca0e6475d33933417c6bae5752d3a15e5aff89f698e295b25b3e160049e144c940caab03596e7e2222b204199a23b479caafeac4dec2b3db91

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2672-9-0x000000002F511000-0x000000002F512000-memory.dmp

Filesize
4KB

Download
memory/2672-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-11-0x0000000070B7D000-0x0000000070B88000-memory.dmp

Filesize
44KB

Download
memory/2728-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download