25897d65f2f72364754bd6d05a889105d25988ced7663c9e22c5807a01dc7700

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754b1f820b725bfec2c1f192d71bb9c7.exe
Size

942KB
MD5

754b1f820b725bfec2c1f192d71bb9c7
SHA1

358a75283118cf5399213ad5290d7c1b076f0846
SHA256

25897d65f2f72364754bd6d05a889105d25988ced7663c9e22c5807a01dc7700
SHA512

a0938018782e603d23cd17eb456a00d6c83801829f07feb5ed85eccbdece966facedf0eb22c89261c5b4be52cfd07273633546d2dee364e81f7d9c62a8a4c40d
SSDEEP

12288:BXuF2OPlgCxbUuqEolqhlBG0EZRYx35Ua8wvJfiU3us5NhOblYNTwUkVQ+PYJMA:BXuFhCwUuqDluBMfEhJX3z5mKhwbLe9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2200	754b1f820b725bfec2c1f192d71bb9c7.exe
2200	754b1f820b725bfec2c1f192d71bb9c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	754b1f820b725bfec2c1f192d71bb9c7.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2804	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	28
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30
PID 2200 wrote to memory of 2792	2200	754b1f820b725bfec2c1f192d71bb9c7.exe	30

C:\Users\Admin\AppData\Local\Temp\754b1f820b725bfec2c1f192d71bb9c7.exe
"C:\Users\Admin\AppData\Local\Temp\754b1f820b725bfec2c1f192d71bb9c7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
121B

MD5
a985eacb6d28f1fba3c3a5e56cad49b5

SHA1
504b5de571fda1ee33850116bb30630a363d1b37

SHA256
e43e992e847319ec09412e1f40eabd97e8da39b52395c2c0719fad0ae39c39b4

SHA512
d82031e386d01a9a43d988fdbacc478f513aa3f9bc26f3c5baf19233d1263463465dff8a3487a904142a2da6463d5f26fddd37f0b63a84fcfe3fc2b6798e2feb

Download Submit
\Users\Admin\AppData\Local\Temp\nst674C.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst674C.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
memory/2200-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download