1c6d72f0ad77870033b27ce05dbd17c76932a161003792daafcc5a28a2e084e0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Weave Manager.exe
Size

10.9MB
MD5

637ff19f62515e60fe8f41e942dadd2f
SHA1

8b76e47821cf352a9e237090b3d000049b4ec9d0
SHA256

1c6d72f0ad77870033b27ce05dbd17c76932a161003792daafcc5a28a2e084e0
SHA512

221217ab065aadd967e1e5c81f863fdcc5f118074640bf94712e709743e6e688dab9db32a161e395ee11bfd030cfa122506956f06bf3d6fe12dbd6ea24969d71
SSDEEP

196608:DSiYq5pjxAwA/THcNwTAlAWzN+PpC6UQJlU/rnsfx+KNZeYez8aQHD2peixk:DDTtxAwAb8NwT1I+Z7inI+sZh/HKpRk

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2692	go.exe

Loads dropped DLL 18 IoCs

pid	Process
2436	Weave Manager.exe
2436	Weave Manager.exe
2436	Weave Manager.exe
2436	Weave Manager.exe
2436	Weave Manager.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe
2692	go.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	Weave Manager.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2692	2436	Weave Manager.exe	32
PID 2436 wrote to memory of 2692	2436	Weave Manager.exe	32
PID 2436 wrote to memory of 2692	2436	Weave Manager.exe	32
PID 2436 wrote to memory of 2692	2436	Weave Manager.exe	32
PID 2692 wrote to memory of 3024	2692	go.exe	33
PID 2692 wrote to memory of 3024	2692	go.exe	33
PID 2692 wrote to memory of 3024	2692	go.exe	33
PID 2692 wrote to memory of 3024	2692	go.exe	33

C:\Users\Admin\AppData\Local\Temp\Weave Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Weave Manager.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\nsi1601.tmp\go.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi1601.tmp\go.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\nse5BD7.tmp\file.bat
    3⤵
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi1601.tmp\go.exe

Filesize
333KB

MD5
b0d76e6a973c4973239b55f33dc23c89

SHA1
79c8744eb1f42297c0d49ecc929a16e766ca4666

SHA256
e033c09835c478b8e026a5dc94d9ff3a6d6dc763835717bb22a6dd034a13e7bd

SHA512
1c1f4bc29801773a04460278782dcc01f93edbd51157dd14fa6ae519f1a12154b8a5cae58679263ac933241e596e92152e4943342bd5dfe42d3e2088f7cdfe38

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1601.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1601.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1601.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit