Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 03:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a576229508cc4de24c7d206662a50ec.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a576229508cc4de24c7d206662a50ec.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
4a576229508cc4de24c7d206662a50ec.exe
-
Size
107KB
-
MD5
4a576229508cc4de24c7d206662a50ec
-
SHA1
cd6304a914720f473c9a87f20e2062805e26e614
-
SHA256
d511989fa3f11bf8e3516fd48be81a6bd50359dce2a3677945d5f90b17776895
-
SHA512
3f952e6bb83bd4077d9e0affe6df25ec0928ecbcd906bc90a178a61904ef16bc1128961f27dde4b40028fe9661a85cd6c423c8d3033404134f9adb8b3ab77dbd
-
SSDEEP
3072:eVGJwcYEQn1VeCjRjgPijntfnCfJ2u4CyiHsi2f:b1Yzn5jxgIntfnCR2u4GNG
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2328 8aff65ff.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 4a576229508cc4de24c7d206662a50ec.exe 1732 4a576229508cc4de24c7d206662a50ec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\20b444a7.dll 4a576229508cc4de24c7d206662a50ec.exe File opened for modification C:\Windows\SysWOW64\20b444a7.dll 4a576229508cc4de24c7d206662a50ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2328 1732 4a576229508cc4de24c7d206662a50ec.exe 17 PID 1732 wrote to memory of 2328 1732 4a576229508cc4de24c7d206662a50ec.exe 17 PID 1732 wrote to memory of 2328 1732 4a576229508cc4de24c7d206662a50ec.exe 17 PID 1732 wrote to memory of 2328 1732 4a576229508cc4de24c7d206662a50ec.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a576229508cc4de24c7d206662a50ec.exe"C:\Users\Admin\AppData\Local\Temp\4a576229508cc4de24c7d206662a50ec.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\8aff65ff.exe"C:\Users\Admin\AppData\Local\Temp\8aff65ff.exe"2⤵
- Executes dropped EXE
PID:2328
-