7a6963b72f4b0d70dfb98f2b4453fb4776e6a511bc98b2d620512dea9f1444b7

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67a67fe670bd503852c122658d13225a.exe
Size

4KB
MD5

67a67fe670bd503852c122658d13225a
SHA1

b6b9c3f4ac9bfe01bc04c0c6310621f722ad2aea
SHA256

7a6963b72f4b0d70dfb98f2b4453fb4776e6a511bc98b2d620512dea9f1444b7
SHA512

953c9b03e846dc73d087a433019d7c4849bd25445b99ef5c2cfa309fa0bb3fbcba42d05dc90ece9fa33411b88bcce8e86523af0ccb0ef7330ad7af0d80c21ea8
SSDEEP

24:nbB4nHFXBmQ0xw3dR4UcktlLBCPUlKAQ/m8Tm6DKuhV1iQ/mCL1Fq0GV0GsZVS:nN4nOjwtREOKAQ/m5KKuhuQ/mF0GVk8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	hello world.exe
2780	HELLO.EXE

Loads dropped DLL 4 IoCs

pid	Process
2340	67a67fe670bd503852c122658d13225a.exe
2340	67a67fe670bd503852c122658d13225a.exe
2340	67a67fe670bd503852c122658d13225a.exe
2340	67a67fe670bd503852c122658d13225a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2320	2340	67a67fe670bd503852c122658d13225a.exe	28
PID 2340 wrote to memory of 2320	2340	67a67fe670bd503852c122658d13225a.exe	28
PID 2340 wrote to memory of 2320	2340	67a67fe670bd503852c122658d13225a.exe	28
PID 2340 wrote to memory of 2320	2340	67a67fe670bd503852c122658d13225a.exe	28
PID 2340 wrote to memory of 2780	2340	67a67fe670bd503852c122658d13225a.exe	29
PID 2340 wrote to memory of 2780	2340	67a67fe670bd503852c122658d13225a.exe	29
PID 2340 wrote to memory of 2780	2340	67a67fe670bd503852c122658d13225a.exe	29
PID 2340 wrote to memory of 2780	2340	67a67fe670bd503852c122658d13225a.exe	29

C:\Users\Admin\AppData\Local\Temp\67a67fe670bd503852c122658d13225a.exe
"C:\Users\Admin\AppData\Local\Temp\67a67fe670bd503852c122658d13225a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\hello world.exe
  "C:\Users\Admin\AppData\Local\Temp\hello world.exe"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\HELLO.EXE
  "C:\Users\Admin\AppData\Local\Temp\HELLO.EXE"
  2⤵
  - Executes dropped EXE
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HELLO.EXE

Filesize
1KB

MD5
cd517295184b3539309cfedff45d7373

SHA1
d4b3ac1f92e7dac32720de613570bfcead5996d6

SHA256
1fa07d026c79a7bd75bedcbc6c89789f0563729705a02ee04018530815a1b41f

SHA512
9174d101fc644fb7adfb8d89f12581246f579242fb27f00f3c9b1ff5618ab73a92331731a92c41d51eeee1ac9e31e8139bc75dbfb99f983bb7ceba28d831d149

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello world.exe

Filesize
1KB

MD5
42674f041a9b0264d0a6c771191de3d0

SHA1
ed41b98e07545eac410da96512720d9f2d9c25ca

SHA256
002d353d8a185b7042cc722a0cd154840eebd1e589832179e91065ba16d9d755

SHA512
69546e68b8b0bef8bbae2d182fb7741b638bd2cd47636978b2e154d50a21dae17a38362f29875ab2221d2967c620078f0e976fa189082fcbcd7343919df1f41d

Download Submit
memory/2320-19-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2340-4-0x0000000000520000-0x0000000000523000-memory.dmp

Filesize
12KB

Download
memory/2780-21-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download