d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe
Size

6.1MB
MD5

e537ed509c52dcf1ec1561221fb91854
SHA1

c99868678ac5c32b061b753c660551cfe2fb5d70
SHA256

d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9
SHA512

ff18b2d191ae65ee67aab80b8e28311870fae8b4e70716fa48ef0d4dc175b258d505a26dab42d8518073cdbc28ae06bca66444cfe3759986d984c2708443d59c
SSDEEP

196608:WD1qTulzVzGcsRIo6m1Yz2y3+0ZiBu2BbiIMQI0G1:Ru//9o6M42a+0ZmxLMQc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ak.exe

pid process

2700 ak.exe
Loads dropped DLL 3 IoCs

Processes:

d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exeak.exe

pid process

2868 d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe
2808
2700 ak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2700	ak.exe

pid	process
2868	d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe
2808
2700	ak.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe

description	pid	process	target process
PID 2868 wrote to memory of 2700	2868	d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe	ak.exe
PID 2868 wrote to memory of 2700	2868	d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe	ak.exe
PID 2868 wrote to memory of 2700	2868	d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe	ak.exe
PID 2868 wrote to memory of 2700	2868	d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe	ak.exe

C:\Users\Admin\AppData\Local\Temp\d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe
"C:\Users\Admin\AppData\Local\Temp\d7b4e469bed4213d5858e18756df962372fe94bab2c80fe1e185684dbc8ec0e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
1.4MB

MD5
19315d8895312320f0249207d4171eaa

SHA1
d5321b75d9c97e138e54fa9781f28008538f9e2a

SHA256
67f702866792de3d749bf70c724ecabbce09205ea4667aab1510e5308986ed51

SHA512
1f3a44f96dbb4d0d008640f608e5a9f78c70b0a858d699746f90c42d6cd478a73fd8973deb33e8e49fb6dd9d8a63d0a9f9aa7584f0adafe118f433329f9c60a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
1.7MB

MD5
6abb9f4d52a06c7bd879be201d7411b0

SHA1
d2a8e5b635bc87a487cc26c613ae37ca506aa3a2

SHA256
49b7fc4e0f3cbf0cb72a9dc4be82679b80b80304a52103ebefb398917519bfdb

SHA512
a1052eb1e1f50e6e5a6eb8b23ab525c71e7ec6855d6344d075a121204747b657eb08fd2806dbfc6f10e0a7b18ff19610b09d33cf09f2c00c5c268a0138f74ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dll
Filesize
1.8MB

MD5
bca70020b9a12bd0e4feef077daae203

SHA1
be20662d551d3b42b40edcc0eccb88bd8fa114fd

SHA256
3cf03beaab6219bda5fb0f66b298ab74edd8f2d77b35c819941ff95d5e65981c

SHA512
d40298feedddb78d12470d6d76d97a2f5f397761c877e12b81c232027df7d80250a2795880966f4a54ca50694f53b4aef838ecc667c2c508d9564b5b04f64d2a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
2.4MB

MD5
28cbc5e0ee21dbc0189f448eeff62d4b

SHA1
94e9f18572652a0b49378e03e39f9432b81196ce

SHA256
7c08088511062c9b55e3c86676e6638abb8f47c797ddbcf03275829f0c155b23

SHA512
314ebc65e6aa044d58ac33aa0d58207e50df49c535f2f1522c04a01371912f2292e80453ca212d080670facc1e7c29bc5fb2c34e3c1e5b2ee586fa3855a0807d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
1.4MB

MD5
e160bf24f6aa6f9caa8860c961dbff65

SHA1
1b71fef38b297c81dc3742ee8ac292da6475b3d8

SHA256
92981e649e82e9a096f861fd597b1edf3b7b6eae3b8a2bb3cbd1dfa73b0aa974

SHA512
9ff0364cb519d232839deb6e68d5b3f530d9d40da5d09d21a71f50741f6b97d0f5da25894ae08dab8ac7be0e1c80eaa9b2287c9c802a14f4a58be0f083da3ad4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dll
Filesize
1.3MB

MD5
f1f842509debc3f18a4c8783b0ce10f5

SHA1
6c01c0ba0f43cc8f91376408101f93080ab6bd20

SHA256
7b0e0799c6af3721d7dc68223ea2aa66df3bd9dc11370da58739af5099491afb

SHA512
8292d244c3b6fca8a842032155ef7749a698dedc82eda1ff61854268b947fe1ee7cb435fe0151044f9a313c21e8f1b05c74c9d791d7223af739c5fec84eb0ab2

Download Submit
memory/2700-38-0x000000013F630000-0x000000013FCF6000-memory.dmp

Filesize
6.8MB

Download