a6a5fed28624a737160b463cd57e4423316239f8c89a33a4e1164a27ef2e5b21

Analysis

max time kernel
141s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 12:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

508d653e1dc1e953dacc1796da64fc46.exe
Size

575KB
MD5

508d653e1dc1e953dacc1796da64fc46
SHA1

ad79da6da3e640ae041c23ef236f541d393a6974
SHA256

a6a5fed28624a737160b463cd57e4423316239f8c89a33a4e1164a27ef2e5b21
SHA512

1fd7d4e9681038376805fea399dcc8bdf48fe04cc0a8a0606f1af7145241a1d4a9baddd37a265a6a12a8763a0e60f580a3d5d9604a4201e859cd2c8dd282b6c9
SSDEEP

12288:gkxIwYQWP5DKwpoAH2q0hVM9cdQ5H/W4oqI:jx2VKw+AH2q0hVM9BfWuI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1768	wvbgxfd.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	508d653e1dc1e953dacc1796da64fc46.exe
2864	508d653e1dc1e953dacc1796da64fc46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1768	2864	508d653e1dc1e953dacc1796da64fc46.exe	28
PID 2864 wrote to memory of 1768	2864	508d653e1dc1e953dacc1796da64fc46.exe	28
PID 2864 wrote to memory of 1768	2864	508d653e1dc1e953dacc1796da64fc46.exe	28
PID 2864 wrote to memory of 1768	2864	508d653e1dc1e953dacc1796da64fc46.exe	28

C:\Users\Admin\AppData\Local\Temp\508d653e1dc1e953dacc1796da64fc46.exe
"C:\Users\Admin\AppData\Local\Temp\508d653e1dc1e953dacc1796da64fc46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\exp\wvbgxfd.exe
  "C:\exp\wvbgxfd.exe"
  2⤵
  - Executes dropped EXE
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\exp\wvbgxfd.exe

Filesize
341KB

MD5
efbb8eea377fdb7c97e53e802c06da4d

SHA1
1b1d5202ac139ae8ade304126713abe2eee1f7f0

SHA256
20de0545130d463271d3301b64b6f2c46e3fd2be73721e3ac6fc0fe38e73e8f6

SHA512
ad227c0f62cd172a587e464b1fe21f0759ea71970eed37a8748cfb573d9af0c2deb56605641bf04b59e5d0b1834ddad4dbd45ac9a246f23ac01408e64ba35062

Download Submit
C:\exp\wvbgxfd.exe

Filesize
295KB

MD5
9f1286299182f999acd948a5f5ca9b69

SHA1
7b12864c532ac75a7449bebf0034f05fbaa62dec

SHA256
7c82771dbaffa2bbb271bc95c72ad4bdc42403de50378b0bf32711e568f58ebc

SHA512
bcadaf446ec170460705cd6c3939db5d1772aa09d651b1e7c83e0583df9a782907cdd6ede3bb4d326ffa87a4367093573264cbc51583c0d9f5539c94ddfac777

Download Submit
\exp\wvbgxfd.exe

Filesize
436KB

MD5
93d014051fbe73bd85b0d2fc3df30a9a

SHA1
333e5e2eff381776aef06c79929242f5ebd0f0a5

SHA256
03bdc587a22193f8a7a347cc9d26f8599a458371feae97793d2bbb73f8c761a6

SHA512
ebc66022ecce4f0b57f858eafe9756b17408e1cb1ddc84be72fa3966d2e627abb2bab446a1aa775781804cdda9f59e84d96f7a859c527185363226169f5fe85f

Download Submit
\exp\wvbgxfd.exe

Filesize
278KB

MD5
7e2951e59609fb2d2b79657e89db8587

SHA1
9130fc8f64ac500ee1c4520b4fbfdd94bde1d0fc

SHA256
3751e5c740cd1ea95abfdaa125093bbc559dcc5252bcc6854efdd050cf891da0

SHA512
63cbd8aa2be98bd51a1b209ccb46149d367a092c2efae15f6748f9b03523c40dd371a28c99eea1551740d5c309159abf3d6371d68d43d074aa3f8550a8d0c04f

Download Submit
memory/1768-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2864-13-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download