fb6696d7bc992c698298407e3468f5871acb9dd0f134049bba4cf26aa198a1da

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ee9d05992f47b9ec9a95f56b7d682c.exe
Size

4KB
MD5

75ee9d05992f47b9ec9a95f56b7d682c
SHA1

6f9be7a04cf1ffde9902ad4772cc4e77390fae32
SHA256

fb6696d7bc992c698298407e3468f5871acb9dd0f134049bba4cf26aa198a1da
SHA512

971f89f3cd46b137e7ec6f12a00b1779f6ae0bcc6e6812b492efdb3a48ba9bc745875e565e15ce72b67a722909d81722ec3c6c344707696a56bda9d987e53d9b
SSDEEP

96:4D/QunnI2AQBMtzfS2mKru0QYiDtllV4t:4DHnI2b65Jlr8YiJut

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2076	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lncom.exe	75ee9d05992f47b9ec9a95f56b7d682c.exe
File created	C:\Windows\SysWOW64\lncom_.chm	75ee9d05992f47b9ec9a95f56b7d682c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2180	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	28
PID 3024 wrote to memory of 2180	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	28
PID 3024 wrote to memory of 2180	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	28
PID 3024 wrote to memory of 2180	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	28
PID 3024 wrote to memory of 2076	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	29
PID 3024 wrote to memory of 2076	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	29
PID 3024 wrote to memory of 2076	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	29
PID 3024 wrote to memory of 2076	3024	75ee9d05992f47b9ec9a95f56b7d682c.exe	29

C:\Users\Admin\AppData\Local\Temp\75ee9d05992f47b9ec9a95f56b7d682c.exe
"C:\Users\Admin\AppData\Local\Temp\75ee9d05992f47b9ec9a95f56b7d682c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\hh.exe
  "C:\Windows\hh.exe" C:\Windows\system32\lncom_.chm
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\75EE9D~1.EXE.bat
  2⤵
  - Deletes itself
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75EE9D~1.EXE.bat

Filesize
133B

MD5
c3336fb3724d3e84d66db5aa855e1996

SHA1
fb11ce0049a3ec1eb14864a43001e74db1a968b9

SHA256
4cdbf807a38aca3969288360a64850437fb2e56ee937604ac5e31cca2efa5bf1

SHA512
0fec709c786e8d18351f1d63fb6f3f2d6a7577e62416be361b9dc171446c001485f0247e14d33b6d75ae21e1d9c5a3c54afc721d15dbec3bec25a2f251f8be78

Download Submit
C:\Users\Admin\AppData\Local\Temp\75ee9d05992f47b9ec9a95f56b7d682c.chm

Filesize
4KB

MD5
00c2bb0dc203ac1eae95a70445f9cc14

SHA1
10063a020c9bf835356c1f2967df457ba75f015b

SHA256
06f12e57f312c8d92c48cbf4adeac678834e91a09129db70aa6820b50010753d

SHA512
1a0127ca754801d152f91124567a93e93ddcbe7d25165f284ac4ebea032c6569e66193d50a0eb4d85a692d6c81e3699a85bb33960639beb942c1d31f5ce59851

Download Submit
memory/3024-12-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download