1ac985437855175a62a585f92347b1cf8fd7facd936dcb79e06bb8a8d191b1eb

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a235762f28bf71d09aea086a28823daa.exe
Size

11KB
MD5

a235762f28bf71d09aea086a28823daa
SHA1

881973962828828db324863c147e4b5d2416b7b0
SHA256

1ac985437855175a62a585f92347b1cf8fd7facd936dcb79e06bb8a8d191b1eb
SHA512

e1d48ecd6e0dc9e854e9d049113ea5cefbee3c188b9eb66eadbb143ef4cb1bc3b721ba0870368b889cc88eaf0b677032874c27c2ad5b51cffd1f6efc5f5a52a2
SSDEEP

192:PIm1agHT6o8YkHN+lDAOb2X8YgEpoIrYI0886ykQVK8URdM0Qup7Y7sNS:PIyagz6o8fN+CNZpAtB61qKhghVIS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2308	a235762f28bf71d09aea086a28823daa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2908	2308	a235762f28bf71d09aea086a28823daa.exe	28
PID 2308 wrote to memory of 2908	2308	a235762f28bf71d09aea086a28823daa.exe	28
PID 2308 wrote to memory of 2908	2308	a235762f28bf71d09aea086a28823daa.exe	28
PID 2308 wrote to memory of 2908	2308	a235762f28bf71d09aea086a28823daa.exe	28
PID 2908 wrote to memory of 2980	2908	cmd.exe	30
PID 2908 wrote to memory of 2980	2908	cmd.exe	30
PID 2908 wrote to memory of 2980	2908	cmd.exe	30
PID 2908 wrote to memory of 2980	2908	cmd.exe	30
PID 2980 wrote to memory of 2088	2980	net.exe	31
PID 2980 wrote to memory of 2088	2980	net.exe	31
PID 2980 wrote to memory of 2088	2980	net.exe	31
PID 2980 wrote to memory of 2088	2980	net.exe	31

C:\Users\Admin\AppData\Local\Temp\a235762f28bf71d09aea086a28823daa.exe
"C:\Users\Admin\AppData\Local\Temp\a235762f28bf71d09aea086a28823daa.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2308-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download