572767e79d227a3f6b3cd6cc3bed4e036f140c2ccccb7961775aef89628eb294

Analysis

max time kernel
151s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433f00f3adb72bc1728dab9a85d00464.exe
Size

20KB
MD5

433f00f3adb72bc1728dab9a85d00464
SHA1

065b058903ee390215c0ed0e049f5c24f4e503d7
SHA256

572767e79d227a3f6b3cd6cc3bed4e036f140c2ccccb7961775aef89628eb294
SHA512

c7de2ede8e997917534b3b7dfa8539f59d1944151ff8280865bbacdb016cbede1a86c4391a1324e3df2f6796c43805d484fd732a84b992027d7ec2cdbefacd4d
SSDEEP

384:+DlIx/ItWvRlvoIYv1ZcXhJRAiWrKTOtVt3secb9KivXDhDxOlnfWjvOeo:+DlIx7TQIYv1ZcXXRAiWcOtD3secZKie

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2296	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl\CLSID	433f00f3adb72bc1728dab9a85d00464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl	433f00f3adb72bc1728dab9a85d00464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	433f00f3adb72bc1728dab9a85d00464.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2864	2736	433f00f3adb72bc1728dab9a85d00464.exe	27
PID 2736 wrote to memory of 2864	2736	433f00f3adb72bc1728dab9a85d00464.exe	27
PID 2736 wrote to memory of 2864	2736	433f00f3adb72bc1728dab9a85d00464.exe	27
PID 2736 wrote to memory of 2864	2736	433f00f3adb72bc1728dab9a85d00464.exe	27
PID 2736 wrote to memory of 2296	2736	433f00f3adb72bc1728dab9a85d00464.exe	32
PID 2736 wrote to memory of 2296	2736	433f00f3adb72bc1728dab9a85d00464.exe	32
PID 2736 wrote to memory of 2296	2736	433f00f3adb72bc1728dab9a85d00464.exe	32
PID 2736 wrote to memory of 2296	2736	433f00f3adb72bc1728dab9a85d00464.exe	32

C:\Users\Admin\AppData\Local\Temp\433f00f3adb72bc1728dab9a85d00464.exe
"C:\Users\Admin\AppData\Local\Temp\433f00f3adb72bc1728dab9a85d00464.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "
  2⤵
  - Deletes itself
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awer0.bat

Filesize
274B

MD5
f007417b3f2c3ea2790766c125471e09

SHA1
6c534cd95ba8ce18c19507d08990d18a1a49aa1a

SHA256
e20ca29bf3b889dbf5f865190f396c06668a33eb8a4ce8af6ed7dc1813c9110c

SHA512
2796a663f89515afc7e9c482c38862d56c3a7958436cd8928bfb9a6a9dcba599ea5401def70ae60140d170e1ef34f4056664b9935490147372eb946a23bfa605

Download Submit