b8902673031de93eaea9e696a7dda24acd683fe04aae22f3407ee9b7174df214

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b86d68f54e891638695da4a592b23d6d.exe
Size

321KB
MD5

b86d68f54e891638695da4a592b23d6d
SHA1

8f54a53314228b0ad879a4c5531e857d10bec9aa
SHA256

b8902673031de93eaea9e696a7dda24acd683fe04aae22f3407ee9b7174df214
SHA512

90b84de7111ab8ad50b1643f3a319dab668d2d70e8a87536a0db99de13ca5918349b8aecae7fc84a090e813a00364f98242018f8750214ec23c0d976add08567
SSDEEP

6144:SSEyY12J5XmzPDn3SUl6RexWcr7kIwWoJf:Sxy/5X+bCHsxWcrYIwz5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4328	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\yUyqWF.dll	b86d68f54e891638695da4a592b23d6d.exe
File created	C:\Windows\CLOG.txt	b86d68f54e891638695da4a592b23d6d.exe
File created	C:\Windows\oOWwrfao.dll	svchost.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\gwKHLB\pcDtnEwf.dll	svchost.exe
File opened for modification	C:\Windows\gwKHLB\pcDtnEwf.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4328	4588	b86d68f54e891638695da4a592b23d6d.exe	97
PID 4588 wrote to memory of 4328	4588	b86d68f54e891638695da4a592b23d6d.exe	97
PID 4588 wrote to memory of 4328	4588	b86d68f54e891638695da4a592b23d6d.exe	97

C:\Users\Admin\AppData\Local\Temp\b86d68f54e891638695da4a592b23d6d.exe
"C:\Users\Admin\AppData\Local\Temp\b86d68f54e891638695da4a592b23d6d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4588
- C:\ProgramData\NAMWIb\svchost.exe
  "C:\ProgramData\NAMWIb\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:8
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NAMWIb\svchost.exe

Filesize
326KB

MD5
6b5b63f60a957f86e1959fa678d0221d

SHA1
769e732d3353d3b3cf9ef683207d4190a5d5eeba

SHA256
0d4450bb66c174603d8beffa5595cfb82589c487e6fc319bfb471c8ba54a6d2b

SHA512
7ece1a4536932ad902f66b76efbd7b45d1618e87a547bd315912dbe2591b6ef14cb2cba873f3f329f6e486a79f136f7bcf96eaef1e3c9558a14bfe0fc6549552

Download Submit
C:\Windows\CLOG.txt

Filesize
166B

MD5
746aa554d678208e09b13ee642c15cda

SHA1
e2208aef2670413af63f4b7817926c427bd7568b

SHA256
86674955c5f11f4143063f9952b1b35e348ec16203eadeb046ebd4bc12ae2781

SHA512
8fa76dd1c8fd250b312f0e59a487d9c369dd116ed04edd827c0866d78bed47c999cda26b02517604bba559883397ee674d1f2e9fbdeb4d5ba4cdc0a4b25cd3fc

Download Submit
memory/4328-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-22-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-14-0x00000000023A0000-0x00000000023A3000-memory.dmp

Filesize
12KB

Download
memory/4328-62-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-53-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4328-30-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4588-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4588-1-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/4588-11-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download