404f251747bd266402a87c4070a1795380cb28c3304b476ddace5be3aed64617

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-01-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

598010142c07fa2355dc2c8a0b747fae.exe
Size

535KB
MD5

598010142c07fa2355dc2c8a0b747fae
SHA1

45b66add33a02e81e0b911b4098bfd5ec6d2b795
SHA256

404f251747bd266402a87c4070a1795380cb28c3304b476ddace5be3aed64617
SHA512

f96370597721be85c397871fea242f2ff1b414578dc90393e2bc163f6805aa229228ec7891895010b106c0638eb4d101d00ad8252c184e5de94a3e016e560d6b
SSDEEP

12288:si4g+yU+0pAiv+nzWBYbhcK2qVpZoRt3UIVlzTWXZirTFxUlvjosTdcG93Dn:si4gXn0pD+CBihNZTmR6slzT60UlvjRZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2908	82B.tmp
1760	598010142c07fa2355dc2c8a0b747fae.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	598010142c07fa2355dc2c8a0b747fae.exe
2908	82B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	82B.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2908	3040	598010142c07fa2355dc2c8a0b747fae.exe	28
PID 3040 wrote to memory of 2908	3040	598010142c07fa2355dc2c8a0b747fae.exe	28
PID 3040 wrote to memory of 2908	3040	598010142c07fa2355dc2c8a0b747fae.exe	28
PID 3040 wrote to memory of 2908	3040	598010142c07fa2355dc2c8a0b747fae.exe	28
PID 2908 wrote to memory of 1760	2908	82B.tmp	29
PID 2908 wrote to memory of 1760	2908	82B.tmp	29
PID 2908 wrote to memory of 1760	2908	82B.tmp	29
PID 2908 wrote to memory of 1760	2908	82B.tmp	29

C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe
"C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\82B.tmp
  "C:\Users\Admin\AppData\Local\Temp\82B.tmp" --helpC:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe F69B77A2EB03E9B584F52A51AE930803D288FF2C1985F75552C583A1D84872042F0981B2381FAF5D54D70B1ACE5DECA70E368EA57880B2E0451E90A9C06A6BC8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe
    "C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe"
    3⤵
    - Executes dropped EXE
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe

Filesize
255KB

MD5
b7fd76103054f562a11ce616d50a0611

SHA1
7473656e5a33b9ecc401985f917f65054bcbd16c

SHA256
aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

SHA512
2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

Download Submit
\Users\Admin\AppData\Local\Temp\82B.tmp

Filesize
535KB

MD5
19ff7433f0f7b1e8ff1a1f9156c18f22

SHA1
1ffca627c4d7a5d7d3af7d916aab189bf5d191c8

SHA256
701dd6e6ac4f14a30c610e91addd640d62f587039c728790a936f1aed3c578a0

SHA512
48d3c2bda2a9b30962f331b605ad5adbcf160cf8a2bc3c89f7bf61f9fd4a8bf758462ca2b5d82c387d41926b7f4f10544ac2445dfeeda8de0275b0d95b88205d

Download Submit