205052f159fd54a873b20057a83d819849e4226e605ed35fd858b425e1530efb

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 08:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45b633683c0af041ef871ecce5edb99a.exe
Size

113KB
MD5

45b633683c0af041ef871ecce5edb99a
SHA1

278b0e5a48b62a8a17795e29427cbf35b285e90f
SHA256

205052f159fd54a873b20057a83d819849e4226e605ed35fd858b425e1530efb
SHA512

b311b3879a0f8fdc67bc723a6126b72605efd02b3790ac29daaaa4b9b5228c8a8442a42d27f1046e4d2fdb4999f6c847e7fab55b029a353e1b9e816c1e58820d
SSDEEP

1536:Vxlq6tcvm03Nzdwem6ePkQ46PRnxiYpakGWRWnXjZhNOyiq1NuyG+Ib+e:VVtcv33Rm6ebJRx/VGWYXlhUMVG9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	tt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\tt.exe	45b633683c0af041ef871ecce5edb99a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2460	45b633683c0af041ef871ecce5edb99a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3032	2460	45b633683c0af041ef871ecce5edb99a.exe	28
PID 2460 wrote to memory of 3032	2460	45b633683c0af041ef871ecce5edb99a.exe	28
PID 2460 wrote to memory of 3032	2460	45b633683c0af041ef871ecce5edb99a.exe	28
PID 2460 wrote to memory of 3032	2460	45b633683c0af041ef871ecce5edb99a.exe	28

C:\Users\Admin\AppData\Local\Temp\45b633683c0af041ef871ecce5edb99a.exe
"C:\Users\Admin\AppData\Local\Temp\45b633683c0af041ef871ecce5edb99a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\tt.exe
  "C:\Windows\tt.exe"
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tt.exe

Filesize
99KB

MD5
615c497fc732f9fe4083096f8e1a0d41

SHA1
16916f3604c9840e13603b37532c6fe1092169e1

SHA256
81cb9d5656ed9c28f97f26f666e05740168869bc6bd72b38b13cac0269a7042c

SHA512
7075162acc347afca22072eee084677057502e5ae6fa0c899f0e8ed2dff25c42cf2d6c29b8521d231df0ee46f38a92e21d32e80dd98b7c7f2283f3b82bd2980e

Download Submit
memory/2460-1-0x0000000000400000-0x000000000041E200-memory.dmp

Filesize
120KB

Download
memory/2460-8-0x0000000002660000-0x0000000002694000-memory.dmp

Filesize
208KB

Download
memory/2460-10-0x0000000002660000-0x0000000002694000-memory.dmp

Filesize
208KB

Download
memory/3032-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download