2cbff160c349591d1cdde538f3c72676fc37a2978796169b3b46a70b5b092edc

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d661da907ee8b193355994dc6d993da.exe
Size

801KB
MD5

4d661da907ee8b193355994dc6d993da
SHA1

ec303750b7f8c12c50b3c09e9e25432236aaac39
SHA256

2cbff160c349591d1cdde538f3c72676fc37a2978796169b3b46a70b5b092edc
SHA512

c68ab5cdf2e25ce58137a0ea5aeffc5ffe92d7d7159e02a4ca056316ab942cbee84666d689b3a820db8a8190fe5b7fb38e32d4056371cf3aa18a128b9a2213ac
SSDEEP

24576:XX47adsXGgIxSTVJkDJvSV6gh8yOZ0blPRA:XX4WdsXGgoSXkDI8gB5ZPRA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2312	A3E.tmp
2056	4d661da907ee8b193355994dc6d993da.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	4d661da907ee8b193355994dc6d993da.exe
2312	A3E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2312	A3E.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	4d661da907ee8b193355994dc6d993da.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2312	2896	4d661da907ee8b193355994dc6d993da.exe	14
PID 2896 wrote to memory of 2312	2896	4d661da907ee8b193355994dc6d993da.exe	14
PID 2896 wrote to memory of 2312	2896	4d661da907ee8b193355994dc6d993da.exe	14
PID 2896 wrote to memory of 2312	2896	4d661da907ee8b193355994dc6d993da.exe	14
PID 2312 wrote to memory of 2056	2312	A3E.tmp	29
PID 2312 wrote to memory of 2056	2312	A3E.tmp	29
PID 2312 wrote to memory of 2056	2312	A3E.tmp	29
PID 2312 wrote to memory of 2056	2312	A3E.tmp	29

C:\Users\Admin\AppData\Local\Temp\A3E.tmp
"C:\Users\Admin\AppData\Local\Temp\A3E.tmp" --helpC:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe 0EFB780A6D09CC425344E562567AB3B67A1C92A9FC2A9B6AB11A68B22F045E0CF2AE3C5D26C396C1D5B7133A6DECEAE66BDDD79C453B45B6C4140FF44E7529C1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe
  "C:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2056

C:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe
"C:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d661da907ee8b193355994dc6d993da.exe

Filesize
1KB

MD5
1edd0495a1d5574c6b722a8d0562654a

SHA1
e964ca43c8a0de7075e6eef1c964725af2779075

SHA256
91809c1d08ea1aa9f5f2792901e2115d0eaa5026c026a02d2dae1ee4593e6ed4

SHA512
fb96086f6ab4cf936f153fab2ced24ba53af4e9eaa62ca68e7324b61c5f5da877f44762a877a02f6ee16201dc10d6321fbdb83a4deaebfdfba0946e0689f5690

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3E.tmp

Filesize
26KB

MD5
b76c47f811a9a95c2f9055d25eb09e69

SHA1
31beba8c27d3e73803c02ec4f7f2c1b16ec2e76e

SHA256
48fae7f2da1980622df12680b34de154ec6d2147d84b333e69f4f7692b277587

SHA512
d1026610f31469637cec8fa157c1db1d182adcadc933d562270d643ca9b55a2ae92ee0280eaba8d1772f1c424d32da2569fb48e1b02fb354529731d82487c54c

Download Submit
\Users\Admin\AppData\Local\Temp\A3E.tmp

Filesize
11KB

MD5
c282474dabd727af6ebe7829943bf397

SHA1
6284bd076fc34eaa798f0ca1ab29a71c2e1923b2

SHA256
ecc11bf24955e53737a4f7f976f1016f4402bc7421cafbd0d7815a5198009de9

SHA512
306698b89ff6e215ebbdca85962eecc7673fd85451b75401c1fcdb75d4cc8ae64c579d62ecfa4137b6828afe7f75db42f0f0156d230478a9e8e512685513e4ac

Download Submit
memory/2056-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2056-14-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2056-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2056-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2056-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2312-12-0x0000000002ED0000-0x0000000003007000-memory.dmp

Filesize
1.2MB

Download