2b40ea7ef13ea148c05588d99f8aae1452139091b0786db673ad8f067762d0e3

Analysis

max time kernel
131s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7f0fbabba4196b4be38b371baa17615.exe
Size

20KB
MD5

b7f0fbabba4196b4be38b371baa17615
SHA1

127b64d1015452365152cb31fff1942300c71380
SHA256

2b40ea7ef13ea148c05588d99f8aae1452139091b0786db673ad8f067762d0e3
SHA512

ac8b1c5f967542cbb570eadc080040e762c4bf4e7d6a056897ddd89c031db2b2df88bbf79253886da62b09b628d0c8ebb88264ea48e887146d29b0e367605d7d
SSDEEP

384:OJn01swUY1EIjESeo544CdHEH5jK3w5VcETcC+TeKthOlnfWjvOeo:OJnoRUyTuuCe5Iw56ETcxntsln

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1888	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID	b7f0fbabba4196b4be38b371baa17615.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl	b7f0fbabba4196b4be38b371baa17615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	b7f0fbabba4196b4be38b371baa17615.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2692	2172	b7f0fbabba4196b4be38b371baa17615.exe	28
PID 2172 wrote to memory of 2692	2172	b7f0fbabba4196b4be38b371baa17615.exe	28
PID 2172 wrote to memory of 2692	2172	b7f0fbabba4196b4be38b371baa17615.exe	28
PID 2172 wrote to memory of 2692	2172	b7f0fbabba4196b4be38b371baa17615.exe	28
PID 2172 wrote to memory of 1888	2172	b7f0fbabba4196b4be38b371baa17615.exe	32
PID 2172 wrote to memory of 1888	2172	b7f0fbabba4196b4be38b371baa17615.exe	32
PID 2172 wrote to memory of 1888	2172	b7f0fbabba4196b4be38b371baa17615.exe	32
PID 2172 wrote to memory of 1888	2172	b7f0fbabba4196b4be38b371baa17615.exe	32

C:\Users\Admin\AppData\Local\Temp\b7f0fbabba4196b4be38b371baa17615.exe
"C:\Users\Admin\AppData\Local\Temp\b7f0fbabba4196b4be38b371baa17615.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "
  2⤵
  - Deletes itself
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awer0.bat

Filesize
274B

MD5
e16b1929f91af2839490bb0c13fe48ee

SHA1
f095bacf682fa388a27032e1fda308b0645a9126

SHA256
86d27d9ae4cefa9177d4325dd66756078cce03ceaccffa478c84075571dec6f9

SHA512
ae75e0a51065cf77ab3bcb521cc42e7c47400c9d28f587f0738a25a145d23bf0df98970e8c0023688bfefe106804611a32ed0f18ca26e14ed49a63fb82d9f8b9

Download Submit