f29c00a73e33fab90329c7aacea5c7866c5fbaa25aa2e1c19cc91c383ff7d9a8

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

13.3MB
MD5

9914af53044c63779dede6b3fc8dfb41
SHA1

14dc2658293f0253c62797795506544b6ea20616
SHA256

f29c00a73e33fab90329c7aacea5c7866c5fbaa25aa2e1c19cc91c383ff7d9a8
SHA512

4ca7abce0bd1ea04ad69ffc327a8fb9f4409369b66600a76ae679fe3dd7226ea3867e39aa1efcfc62586d43caf36268b18cac70cf1fe882cc2da520e22f2f993
SSDEEP

196608:LydEOZwAOejUzmhRsTYjPZWdkSjl5dK6FuaMf8XD/N7QEYhtkUdJiIwT/W54RY0a:+Dm14gkUdkqdZ/Mfe/JQ1htrj/546J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	main.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	main.exe
2760	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2760	1960	main.exe	29
PID 1960 wrote to memory of 2760	1960	main.exe	29
PID 1960 wrote to memory of 2760	1960	main.exe	29

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\onefile_1960_133514848664246000\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1960_133514848664246000\main.exe

Filesize
45KB

MD5
c3de2695c1f7d30ab4dcf3e1066a56de

SHA1
c5a16005faef61e35869d7909ed31d55dd827b61

SHA256
2f658e6a4a6befd20492b362fbb9b55a061f2bd2bdb1ea972350aeda8a5b55d6

SHA512
aa5469014b53008fb335bcc07527ea4cde8b3e9bb9dfa613a15e60c1a2754d0dce42c77a7eea7511bfb41490f00db1efa582fccbe2bf69f8644e20cf3cd97458

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133514848664246000\python39.dll

Filesize
26KB

MD5
a1a606e9fbdaccb81a607ea0d4403311

SHA1
d816046c27790bc458f10cd63ad7f070cc15e164

SHA256
d91e5331fbb5ba897bfeffab4b77aa01b6ad4881687b9ea4bf5f0518dbaa7492

SHA512
978b5431a726b3b8427a569c12292004469243bdd44546026c48704d7a48d14993d1902baaa4d60800069997f3fe8d7672cd887631921593c01b8f7d8a3c8cb1

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1960_133514848664246000\main.exe

Filesize
62KB

MD5
77aa1a8854553d039f2f7d5a81e9687c

SHA1
151ab468fa7a243228e3aa4fadde630b3c5e2255

SHA256
9ef07a719560118143b0c3a705580e32cbb1a8dcf36bca7551bbe67d85b0bf82

SHA512
e921b5f3b7ded1daee3c076584f6e8b532215a90cfd6e436284212a5a58b8f71b994f0591f39c714787ca06cc6f170e865e0928a6e4210305a4d11eff97ac200

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1960_133514848664246000\python39.dll

Filesize
1.2MB

MD5
8dc35a5b9cb1925df9aee71934a702b7

SHA1
9d019fd155051c8ad740a16c1deec04d914b3a83

SHA256
4e904609433f6f81b745a179b440818d500e8f71411184a72ca0c93d130fbdfb

SHA512
afade6816c86b69bb8dd1881b03e7237056444ca596ce9478858db12e54ec5585c1b008981d7d6dffdfcbffd28bd1d75236da2c1ceb3e9b4c8532ac757a551e7

Download Submit