0280fbde725a3ffe96a1f0cce44c82be4f757c66232b5b3293e1a680390d6960

Analysis

max time kernel
23s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 02:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

989ae5b3d5f518de0269ec326005f6fb.exe
Size

41KB
MD5

989ae5b3d5f518de0269ec326005f6fb
SHA1

0c8caa1ad57d3bfae239d76aeccb51f4e364eed5
SHA256

0280fbde725a3ffe96a1f0cce44c82be4f757c66232b5b3293e1a680390d6960
SHA512

9928e3f61d1ad060f6bd2faefb899de0fc6305a06f1d2e651e0237110a76484f9e8dad838ee2b6bb9bcc9652452785bfbf92715361b4ba355f6da7ee6caa037a
SSDEEP

768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PADX:b/pYayGig5HjS3NPAL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	989ae5b3d5f518de0269ec326005f6fb.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2128	989ae5b3d5f518de0269ec326005f6fb.exe
2624	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2624	2128	989ae5b3d5f518de0269ec326005f6fb.exe	28
PID 2128 wrote to memory of 2624	2128	989ae5b3d5f518de0269ec326005f6fb.exe	28
PID 2128 wrote to memory of 2624	2128	989ae5b3d5f518de0269ec326005f6fb.exe	28
PID 2128 wrote to memory of 2624	2128	989ae5b3d5f518de0269ec326005f6fb.exe	28

C:\Users\Admin\AppData\Local\Temp\989ae5b3d5f518de0269ec326005f6fb.exe
"C:\Users\Admin\AppData\Local\Temp\989ae5b3d5f518de0269ec326005f6fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
42KB

MD5
5da342825d85cb4022311392d854ce21

SHA1
04f7d224f2ec99f8215f63a319f5c6a815930945

SHA256
1d7f4378afcb16603eec5b1b4d963eda7e6c03e558c7cbc91f5cf7876500ae0c

SHA512
5776b8aae3ae57e87632e8c0fbb3401468eea03079d0fbf1e7cf12239e8ff20f7924db6299258036f25bac08b3d4b575fde2e2a97ece365a706f4fa85afb2194

Download Submit
memory/2128-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2128-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2128-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2624-17-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download