393349478b4a904e4e4394891f7b3dc25c404a28c7d1381822e39b9ee683aa45

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea80838f3016998e4fc2532c736d5ca8.exe
Size

34KB
MD5

ea80838f3016998e4fc2532c736d5ca8
SHA1

2f49a1059f746b74001a272fd67c2fa1e7db9edc
SHA256

393349478b4a904e4e4394891f7b3dc25c404a28c7d1381822e39b9ee683aa45
SHA512

8a014d128a07f1bd9b3e13daa5a4ea1e167fe4db856c89f7284249290be9f2915c47c065ecf9ffed4b085b11087785cf0ed546ea57a2f7c3f0125af811ef91ea
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6ls:bA74zYcgT/Ekd0ryfjPIunqpeNswmb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2448	ea80838f3016998e4fc2532c736d5ca8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2756	2448	ea80838f3016998e4fc2532c736d5ca8.exe	28
PID 2448 wrote to memory of 2756	2448	ea80838f3016998e4fc2532c736d5ca8.exe	28
PID 2448 wrote to memory of 2756	2448	ea80838f3016998e4fc2532c736d5ca8.exe	28
PID 2448 wrote to memory of 2756	2448	ea80838f3016998e4fc2532c736d5ca8.exe	28

C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe
"C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
34KB

MD5
8197827be9bfeadc7e5d9a939b8cb275

SHA1
2f7eeeb3421d70b07dc1e1d47a0ca595f8906ac9

SHA256
ed62f14ac3b074edd5a12bc3d6759985160eb5034e3a2d3e411d2a11ebb95ccf

SHA512
167422c85c21f26549cb2a0269f7ea1596a59b0e052568e1a469cb2e085f3408d8f5f0fa223986ea98318f3fee1a006d29bce52ff6a2a4915471c0885f3f9bf6

Download Submit
memory/2448-0-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2448-2-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2448-1-0x0000000001B40000-0x0000000001B46000-memory.dmp

Filesize
24KB

Download
memory/2756-18-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2756-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download