fed3a42c853446a04f1a3d3cfc4755b1bd83ba6f21815cea734f74e43c4b948a

Analysis

max time kernel
5s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473fed5f812be8a150ac26835833c182.exe
Size

762KB
MD5

473fed5f812be8a150ac26835833c182
SHA1

d03245f845bc8ec3d8321c0ef1660f4e24d3ae5c
SHA256

fed3a42c853446a04f1a3d3cfc4755b1bd83ba6f21815cea734f74e43c4b948a
SHA512

168e9430043dc021b168736cb27f185609c1614a0f148869288f803f1cb9ef5dee6ce0c255523edbf83128afb5c82e5baa3499813ccbdee3e15dd3e243f4b28c
SSDEEP

12288:ftobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnN:ftDltItNW7pjDlpt5XY/2TkXKza/29R

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	internal473fed5f812be8a150ac26835833c182.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	473fed5f812be8a150ac26835833c182.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	internal473fed5f812be8a150ac26835833c182.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2880	internal473fed5f812be8a150ac26835833c182.exe
2880	internal473fed5f812be8a150ac26835833c182.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28
PID 3044 wrote to memory of 2880	3044	473fed5f812be8a150ac26835833c182.exe	28

C:\Users\Admin\AppData\Local\Temp\473fed5f812be8a150ac26835833c182.exe
"C:\Users\Admin\AppData\Local\Temp\473fed5f812be8a150ac26835833c182.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182.exe
  C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182.exe C:/Users/Admin/AppData/Local/Temp/nsd82D.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/473fed5f812be8a150ac26835833c182.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd82D.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\11430.bat" "C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\""
    3⤵
    PID:3004

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\$IGF237W

Filesize
544B

MD5
acf62943634c893c75fb5388c021da45

SHA1
74842cfe4dfa16bb1ebc07c4df97bfcc1196e376

SHA256
6a73a61f3c67ed0e6406bfe7030dc51d1a9d50177c1dbca76ded89c050df0966

SHA512
01cf3145f7c30b69bfa5c2d349268d73277a82c527a6215fa600b606c984c87506ae7320118fcfe685d9c141164707166e7cb11eb3348a17d91a0e99c2149e4a

Download Submit
C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\$IWWTFGY

Filesize
544B

MD5
22d258092aba7a66bf989bbbfab61b8f

SHA1
44ad68e9aa13b2fff4cc3e26a2120b12d0507810

SHA256
ae91298379ce6aff0ed9c043c39b565303cad7b5d8f7f6a6588a2ffc100fcb94

SHA512
a1e6503a32e203e2212ed86cbc9f947acbfae30c92d4531ecad7796e1acefe67e2e09415504284017f9a5e1551dfd0677a1c923c0cbe2f7c7a44e00c8243912c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\11430.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\37A30A5DDAC14C5BA22D642DB1EDFE0C_LogFile.txt

Filesize
867B

MD5
21221fabca90aab08dd5a41b44aaf9f2

SHA1
69dd195f4fe6576e4d010f587b9b23d510b50bea

SHA256
cfa3e198cf572a942458a5d3ddce21b29813184867b92a9b22825ef2abe3bece

SHA512
b59336f45dee7faa990590cecff7d0d5199b09f7170bc62a17e2128bc74e6df4b74d9fd3401c0cdb10ffb23f196980222f97b4720394af3afb43b9dff8a512ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\37A30A5DDAC14C5BA22D642DB1EDFE0C_LogFile.txt

Filesize
3KB

MD5
ed7ccb48c6b9b8e0acdb617d0411704d

SHA1
cb893711c216ada955a9ec41b4128325598352b1

SHA256
325570db442ef10fb3764e4b62b9311c044b63f772341be5d404ee64115f6f87

SHA512
85af55d0cfd7401bf662725a9d027759018cb9cf70af4bf6e8a4788e8ca832897f141244d4726a1ad0f0b4c4b9f94756a058aa9254d882239ed91123db18e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\37A30A5DDAC14C5BA22D642DB1EDFE0C_LogFile.txt

Filesize
4KB

MD5
318d53abf0928d02beeba73d6d7c71ae

SHA1
1c201d731736271824d6264c7de6db30b58e9742

SHA256
f624cca264499870f579abb1402336dd16ee168aaf06dd51fcc1f32326e78506

SHA512
ffcf60a209a5ae7a2fc3407691eaf016c9bb9bcf9c0143af9a1502a0eb3e043cd6bbb0d010965f090622f04c74d45fcf3cb1cf41f8dc999712139947b77f446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\37A30A5DDAC14C5BA22D642DB1EDFE0C_LogFile.txt

Filesize
5KB

MD5
eed522f0d2f17822d477d860c632fdb8

SHA1
0d1b1e8a0f191a7a995011d86d562fb2808c6c4d

SHA256
3d96ff1be828c0f7f02d99c87804cc42905714013c2e2a7bd16b7195205830d7

SHA512
426307e3ca5efda44c08ef204626d265e482430b40ab445419565eb0a42e7bffb0a3f8fc830fe224ca92abb92288fe494731b6c858adbc61eb13fa8a580093a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A30A5DDAC14C5BA22D642DB1EDFE0C\37A30A~1.TXT

Filesize
24KB

MD5
0115a1eb66b8a1a53b247a9839f3e01d

SHA1
985bff570ac327ebf85125e4a0d537c975409289

SHA256
b6ca1542123cd903846bd4d19e8f4a06fc8fc88a232b5f5cabb06a0db4e2ce46

SHA512
3facbd2f6d034f43621eba92b66120756fdc7ea83aa78eddabfad26190c9a74748cd75a10ecc8c7bb397ac4d96013f22035df96421bc7acba95aa0d270e2cf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E9D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182.exe

Filesize
1.3MB

MD5
59b72bdc90b5c4212193bbf70364055f

SHA1
e585f0e279b5343f0ef219a3fa2fd381ccd66a85

SHA256
81ca25651ab1daca95b9f47c9b3278a5dd6f5e5d01f9b35c9e4c627fcf082be4

SHA512
60364440cf6a0f17df87fae67619da8638222810eee472abd4c80a9a360d282b1b1bcb52d8ec525dde389a02865e570c61ea33149c9581d4c4c779b57b9fa8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182.exe

Filesize
1.1MB

MD5
6551416ffd313eaf56508454fd559448

SHA1
46f260f463d98b8bd5c15efb2a16b4bb9b60a7c2

SHA256
c2032df8fcd0873fff256a7a74076114f1a34eb8355fd1c2413162bf7926d24b

SHA512
1865534e08d4571e0062c488f082d7bf05ad635c7760f25b3901163dfb5c4eb7abc72217466b9ba6a41301edf5cac89a4554a01816164170a6ae2c38d488082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82D.tmp\internal473fed5f812be8a150ac26835833c182.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/2880-77-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3044-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download