Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-02-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
Resource
win10v2004-20231215-en
General
-
Target
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
-
Size
3.4MB
-
MD5
112e6b1a7fa7ce6b2679a2fcdba7570a
-
SHA1
8b38f0e256a98d713b09d78c1d1ff69b502b9577
-
SHA256
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876
-
SHA512
b604d4c5d77d98c532e304f33729b92d94b5800745f38e116f038d276b6ceaa9912ac15b62f1a69e4bab286eb884b8137d3dd442301c6a602ae5e2d29096223e
-
SSDEEP
49152:wI1BMSvHH9sufzgtSN9t9/y8MH31Q+QVc5GxJxn+mqEvzHyZsUocVIIR6qW+LKNR:wDSvxrg+t9/ypFQ+QuKJ9TyZ9JKz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ak.exeak.exepid process 2520 ak.exe 3000 ak.exe -
Loads dropped DLL 3 IoCs
Processes:
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exeak.exeak.exepid process 1712 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe 2520 ak.exe 3000 ak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exeak.exedescription pid process target process PID 1712 wrote to memory of 2520 1712 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 1712 wrote to memory of 2520 1712 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 1712 wrote to memory of 2520 1712 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 1712 wrote to memory of 2520 1712 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 2520 wrote to memory of 3000 2520 ak.exe ak.exe PID 2520 wrote to memory of 3000 2520 ak.exe ak.exe PID 2520 wrote to memory of 3000 2520 ak.exe ak.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe"C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_2520_133527583996436000\ak.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\onefile_2520_133527583996436000\python310.dllFilesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exeFilesize
3.2MB
MD51e9f06ff572008ae0fe723c01a19f51f
SHA180623cbd7d7ad0cc539fcc42e0fa5a2f4a6d1193
SHA256d0a790d8c8fa9147b6fd6d5bf0ef3c2a8907ec17eeb384dcc9b2611044928802
SHA5127b9d4a9294b931e5efdc02a86336ee8daa4cad83e0c8aa49f148ae3040e819ea483837614a22f66c033d025b6e9106c0198caf1f51db8b3c261c16a024063d8a
-
\Users\Admin\AppData\Local\Temp\onefile_2520_133527583996436000\ak.exeFilesize
3.7MB
MD597922953ecfb1e38feceae49f5a1f4bf
SHA18080acd9863c61752b01af27671e459071aac66c
SHA256bc11e0801675911e2f36d8e61859762c1b7a2c9b3ce173cf65b3c37a3f9f5579
SHA5125a38fc28a137aac0028a002a5c42a31bccbbcb869762f8bf18dcdb5e4af447050bd3130c8880f37df188cc19307e1c0b9597870243307893637b9501f82c711b
-
memory/2520-28-0x000000013F9F0000-0x000000013FD3C000-memory.dmpFilesize
3.3MB
-
memory/3000-21-0x000000013F160000-0x000000013F517000-memory.dmpFilesize
3.7MB