dd6c1bd4d89d4af0cfa9cde099a33e1a083fdf12b73691ce5e25130f50cb8590

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2d88e8eac81c04186149da4839003f.exe
Size

110KB
MD5

8a2d88e8eac81c04186149da4839003f
SHA1

1b41e723f82f8509550a1153d33ab352a7c19cb9
SHA256

dd6c1bd4d89d4af0cfa9cde099a33e1a083fdf12b73691ce5e25130f50cb8590
SHA512

4a05909db55e036853c35fe31180f57a948c3c8c89d729f5145a2962d2c09b050d13195c7dcbf2841a3fa5db3f65b5d7e89a8676464cba4edf95ff1079e098cf
SSDEEP

3072:1vEKR5R9TTJphueT2+Sx3XtZxc5UDmr3jT0N+zwkVRwm5kO83edemH9:1vEKR5R9TTJp0eT2+Sx3XtZxcKDmr3jl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	8a2d88e8eac81c04186149da4839003f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2944	2428	8a2d88e8eac81c04186149da4839003f.exe	28
PID 2428 wrote to memory of 2944	2428	8a2d88e8eac81c04186149da4839003f.exe	28
PID 2428 wrote to memory of 2944	2428	8a2d88e8eac81c04186149da4839003f.exe	28
PID 2428 wrote to memory of 2944	2428	8a2d88e8eac81c04186149da4839003f.exe	28

C:\Users\Admin\AppData\Local\Temp\8a2d88e8eac81c04186149da4839003f.exe
"C:\Users\Admin\AppData\Local\Temp\8a2d88e8eac81c04186149da4839003f.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wwz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wwz..bat

Filesize
210B

MD5
7abcd4ab02a1ea1faa7b1f03e283c868

SHA1
4f76cbdd1161bdf221cfa19d45fce366e194d4a1

SHA256
ca38deae2441c1a093cc3b1d60c2cf35d88c29855e6b78b82fe4a9489d802a03

SHA512
9fa641affdb317a952e2fc68fd025526b12d6654f7e54c2ef83db8075f2514b8f9454ef39fe13a823f5a7ef7e77c6bd346c971d1edc20e2451cc22930a72e957

Download Submit
memory/2428-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2428-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download