d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe
Size

3.4MB
MD5

3117bf9274374480ea7b7165786dd3e6
SHA1

5c2b9be474186ae10e884ffc15844191c2d144ae
SHA256

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83
SHA512

b214abf62646fd10426b79405e2c67cfbed654bbd7e333cc08d88adfec74d269c60fb5b0a8c696fa8107897792228dab34af76f884f237cff1342762c6362e94
SSDEEP

49152:QI1BMSvHH9sufzgtSN9t9/y8MH31Q+QVc5GxJxn+mqEvzHyZsUocVIIR6qW+LKNi:QDSvxrg+t9/ypFQ+QuKJ9TyZ9JKc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1668	ak.exe
2008	ak.exe

Loads dropped DLL 3 IoCs

pid	Process
2268	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe
1668	ak.exe
2008	ak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1668	2268	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	28
PID 2268 wrote to memory of 1668	2268	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	28
PID 2268 wrote to memory of 1668	2268	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	28
PID 2268 wrote to memory of 1668	2268	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	28
PID 1668 wrote to memory of 2008	1668	ak.exe	29
PID 1668 wrote to memory of 2008	1668	ak.exe	29
PID 1668 wrote to memory of 2008	1668	ak.exe	29

C:\Users\Admin\AppData\Local\Temp\d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe
"C:\Users\Admin\AppData\Local\Temp\d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\onefile_1668_133527583987072000\ak.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1668_133527583987072000\ak.exe

Filesize
3.7MB

MD5
97922953ecfb1e38feceae49f5a1f4bf

SHA1
8080acd9863c61752b01af27671e459071aac66c

SHA256
bc11e0801675911e2f36d8e61859762c1b7a2c9b3ce173cf65b3c37a3f9f5579

SHA512
5a38fc28a137aac0028a002a5c42a31bccbbcb869762f8bf18dcdb5e4af447050bd3130c8880f37df188cc19307e1c0b9597870243307893637b9501f82c711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1668_133527583987072000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe

Filesize
3.2MB

MD5
1e9f06ff572008ae0fe723c01a19f51f

SHA1
80623cbd7d7ad0cc539fcc42e0fa5a2f4a6d1193

SHA256
d0a790d8c8fa9147b6fd6d5bf0ef3c2a8907ec17eeb384dcc9b2611044928802

SHA512
7b9d4a9294b931e5efdc02a86336ee8daa4cad83e0c8aa49f148ae3040e819ea483837614a22f66c033d025b6e9106c0198caf1f51db8b3c261c16a024063d8a

Download Submit
memory/1668-28-0x000000013F4E0000-0x000000013F82C000-memory.dmp

Filesize
3.3MB

Download
memory/2008-21-0x000000013F260000-0x000000013F617000-memory.dmp

Filesize
3.7MB

Download