f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe
Size

6.3MB
MD5

55a4e48f0b27008710e80d04e74d7eda
SHA1

3140f3dce43ab689d0b23bd775759bd71523018f
SHA256

f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2
SHA512

eaa7111efad16e29e9c40228ce4f504c2104b70fe420724fc3360e659603b9f84a214a2ad95013fd5c1e3e94d714f4697c8cca09271aa4bad3775b91047f3d94
SSDEEP

196608:QBLY8gsUxMSzrWqUkFxpOC1+hGAIaqS92k:Kad/WoHf4Gda/9t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
2492	install_tool.exe
2644	install_tool.exe
2672	install_tool.exe
2656	card_code_check.exe

Loads dropped DLL 9 IoCs

pid	Process
2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe
2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
2532	Process not Found
2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
2716	Process not Found
2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
2628	Process not Found
2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
2612	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2672	install_tool.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2036 wrote to memory of 2052	2036	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	28
PID 2052 wrote to memory of 2492	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	29
PID 2052 wrote to memory of 2492	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	29
PID 2052 wrote to memory of 2492	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	29
PID 2052 wrote to memory of 2492	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	29
PID 2052 wrote to memory of 2644	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	31
PID 2052 wrote to memory of 2644	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	31
PID 2052 wrote to memory of 2644	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	31
PID 2052 wrote to memory of 2644	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	31
PID 2644 wrote to memory of 2508	2644	install_tool.exe	33
PID 2644 wrote to memory of 2508	2644	install_tool.exe	33
PID 2644 wrote to memory of 2508	2644	install_tool.exe	33
PID 2508 wrote to memory of 2844	2508	cmd.exe	34
PID 2508 wrote to memory of 2844	2508	cmd.exe	34
PID 2508 wrote to memory of 2844	2508	cmd.exe	34
PID 2844 wrote to memory of 2712	2844	net.exe	35
PID 2844 wrote to memory of 2712	2844	net.exe	35
PID 2844 wrote to memory of 2712	2844	net.exe	35
PID 2052 wrote to memory of 2672	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	36
PID 2052 wrote to memory of 2672	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	36
PID 2052 wrote to memory of 2672	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	36
PID 2052 wrote to memory of 2672	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	36
PID 2052 wrote to memory of 2656	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	38
PID 2052 wrote to memory of 2656	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	38
PID 2052 wrote to memory of 2656	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	38
PID 2052 wrote to memory of 2656	2052	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	38

C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe
"C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\is-CIT9C.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CIT9C.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp" /SL5="$80122,5680488,797696,C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe" 2 Steam\Steam.lnk C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\findpath.txt
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe" 4 steam_host
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop steam_host
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\system32\net.exe
        
        net stop steam_host
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop steam_host
        6⤵
        
        PID:2712
- - C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe" 3 WindowsUpdateBlocker.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\card_code_check.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\card_code_check.exe" 0 0 0 3000 ZXCVNTAECERWYJGV
    3⤵
    - Executes dropped EXE
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-CIT9C.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp

Filesize
3.0MB

MD5
45dc976bf2b5db845f3a6c12f8aecd9d

SHA1
de467a57299197e07a07bf4c3921be3021bc0f35

SHA256
95901ea941b1e3ea67f371ccf39f9fbdf6268886babb63717a77a528f846d4b1

SHA512
03a233a14f434ce340b92347e8ebe6628dcb9ab495076f6879253fa1cb15bbf64aed3cab73457ad5238c7e22d87649dddbeeb748051fab4c09760d52b49fcf6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\card_code_check.exe

Filesize
103KB

MD5
e599549b26145a23da8288b5dcb15723

SHA1
919858d333c51d4b3fc74c21457b0598793ed4db

SHA256
d2189ed466e0f6bd4c612694b7c56f19323f0a48c931ac5321335006c9dd5780

SHA512
dfb46c256c91443416a4436d04adbf89966ee7556345e85afbd41d69270dfa0cf6d7c6f79867e1847da977b68844060664293bf655b8c1d744f14067df802fce

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTCOO.tmp\install_tool.exe

Filesize
138KB

MD5
009e852552e1d71fd3547afd2d34ceb0

SHA1
db252b1eac7e356972689c555ea51416be10b4ff

SHA256
7ab988c5636873d60ba082bbcbabcdd10a4399578f7328e16f4966a658f193ac

SHA512
aa509d6fd12a01a44e98aaa9fd77608b4c720bd9347104b4a19d0ee9e04da42da3b6994b84332f18798735dc0ccd48d5a350caf05fe5be4e5af0a06590059b7a

Download Submit
memory/2036-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2036-37-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2052-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2052-35-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download