df36047bc7a654d78d274df84baab83fa6bec03358a30857db09ee7e6e1b72bc

Analysis

max time kernel
11s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

23.7MB
MD5

e9c2c91dadd494e37af2bea56b5d472f
SHA1

3e1ff7333e037b320f2df8c4f06e2f7189b102ef
SHA256

df36047bc7a654d78d274df84baab83fa6bec03358a30857db09ee7e6e1b72bc
SHA512

5475f7c3ef9fc4991500a623f3c7821c5b8f064ee76dea54f589148a59eb862cc6d6ebce5dfc7a4b13027bd8881518a551c28e6e754232c491a1ab1ab56206c1
SSDEEP

393216:1vgDzeHJBhp+wbtETwAeToeAE9xQKfZL2M3mqVdsgx8+E5PUVWgzIviE:9gDSBp+CKA9xfxL2M3mUdsbZ5P0RzIvv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	main.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	main.exe
3008	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3008	1340	main.exe	29
PID 1340 wrote to memory of 3008	1340	main.exe	29
PID 1340 wrote to memory of 3008	1340	main.exe	29

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\onefile_1340_133541419316066000\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1340_133541419316066000\main.exe

Filesize
3.7MB

MD5
315f2a88fb506d4e52e01ad1caebadf2

SHA1
c76a4f043dece791ef9bd75d0c50e62a4c2b1a6a

SHA256
a3b7b65bb87d3402149ceab165e3b946a954cdd3fa02cfb350d86fe4ccd4ac4b

SHA512
abbb078d174fe7bb4ac108d4b6c7c9c85cc730ce4e054fb594e986e35bd14df9e9ae5bcb82de3e7763d728f7a78e9225cd49fbea1bee073180d00979f64478df

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1340_133541419316066000\python311.dll

Filesize
2.5MB

MD5
7e9e3325fd1d75e92defc4f9c78644ad

SHA1
52fa00e63b111ca477e3cc1c93fb3ec575e452e1

SHA256
1915df9bcea19cc50af7c899a14cfa4738eb3884423f03e5a1bae5577ff1f49d

SHA512
7acb1461a5fd2a43cfd44be2567cad21c5ea8c99f450936b7d280374c2862b14657dabc24195244fc1c572d6ab3d21a9e72b7b337e0e9c7a39f0b75283d9429c

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1340_133541419316066000\main.exe

Filesize
3.6MB

MD5
e9169d8d724b09bbb9daef0d6f7fa8c2

SHA1
78a71ee9205d381336265cb70dd79d009c538eb2

SHA256
bd24f037378b3709c255fafd9a460b98e71bdd724ba5c7c605b4edb3454a4162

SHA512
d98b85ae3b8bbfea11248e6d4278134a42328c54167e6a6c0bc6e627a2f354336bf78f501c47fa9cae6bf2794c6f8335249d46395cd3c3dbadae3f8b0a807f1d

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1340_133541419316066000\python311.dll

Filesize
2.4MB

MD5
473c1bdcba6fc41819e7dceb47c53c8e

SHA1
25c4b2240db473e2541b31fd124ecea64b00220d

SHA256
23b56a328cd859e1216c9517693ea9111198d02efc8a7cc0c034a330a3f45d04

SHA512
d5e9adbd8aeb92fedf63e02ca1fbd44aaf9f622d7b304a23b3bcfc841244dcdcdb935bade27e334ed31f5a0dafd89f67f2b56d9d7fa98bc7c83da9c14c6f78bb

Download Submit
memory/1340-46-0x000000013F6B0000-0x0000000140E72000-memory.dmp

Filesize
23.8MB

Download
memory/1340-48-0x000000013F6B0000-0x0000000140E72000-memory.dmp

Filesize
23.8MB

Download
memory/3008-42-0x000000013F8B0000-0x0000000142393000-memory.dmp

Filesize
42.9MB

Download