3bfe817d5b9a693acf40ec5c40feb68978f5f1da62e0fa9bf925969321639f03

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 04:24

Target

4805713c74d598db83684b48108a3026.exe
Size

902KB
MD5

4805713c74d598db83684b48108a3026
SHA1

55201fbc36f43ab4fefe2a23d9383705236ee6cb
SHA256

3bfe817d5b9a693acf40ec5c40feb68978f5f1da62e0fa9bf925969321639f03
SHA512

c90ff96cf3dfe162eb675612b849c524c3c3ec30223582a14cec69312435609e86a51d27589d04bc6c6e52983443929cc7a302f45bd88bdb830cce6be835de86
SSDEEP

12288:HaWzgMg7v3qnCiMErQohh0F4CCJ8lny/QK6Kyz0VH4vkEKQj3+:6aHMv6Corjqny/QK6Kyz0K8ENjO

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 4848	4644	4805713c74d598db83684b48108a3026.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of FindShellTrayWindow 3 IoCs

Suspicious use of SendNotifyMessage 3 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88
PID 4644 wrote to memory of 4848	4644	4805713c74d598db83684b48108a3026.exe	88

C:\Users\Admin\AppData\Local\Temp\4805713c74d598db83684b48108a3026.exe
"C:\Users\Admin\AppData\Local\Temp\4805713c74d598db83684b48108a3026.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\4805713c74d598db83684b48108a3026.exe
  "C:\Users\Admin\AppData\Local\Temp\4805713c74d598db83684b48108a3026.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/3448-5-0x00000000FFFF0000-0x00000000FFFF7000-memory.dmp

Filesize
28KB

Download
memory/4848-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4848-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4848-2-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/4848-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4848-6-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4848-8-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download