01b99ec6a0a57d75cf9b7993c67776dfe5f6dcdf3cf1b0460b41fc8780ce5a57

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b86f4471af6d142f17537a9d5075197e.exe
Size

2.6MB
MD5

b86f4471af6d142f17537a9d5075197e
SHA1

bc0c407e9778c474a1431da5a041d8faa0b97411
SHA256

01b99ec6a0a57d75cf9b7993c67776dfe5f6dcdf3cf1b0460b41fc8780ce5a57
SHA512

078a60d6ecaa6a1974abd2236e667bc90724e79cfbc59776e38dab06a441be6085015e5a4bb52002a08b3a9726404e3349a2fbbe84e5bb74b2014b4a8370b09e
SSDEEP

49152:++fqs1p1m26U6SidllwJF4N67KRTMw9Ld1MtG4pLVRtTCWVxV+k6ouq:++ft1p1B6U6Vi4aEH98UyxTCWVxV+k6I

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	sexyss59.exe_tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	b86f4471af6d142f17537a9d5075197e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Mandy Moore Sex-E Screensaver Uninstaller.exe	b86f4471af6d142f17537a9d5075197e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	sexyss59.exe_tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3028	2060	b86f4471af6d142f17537a9d5075197e.exe	28
PID 2060 wrote to memory of 3028	2060	b86f4471af6d142f17537a9d5075197e.exe	28
PID 2060 wrote to memory of 3028	2060	b86f4471af6d142f17537a9d5075197e.exe	28
PID 2060 wrote to memory of 3028	2060	b86f4471af6d142f17537a9d5075197e.exe	28

C:\Users\Admin\AppData\Local\Temp\b86f4471af6d142f17537a9d5075197e.exe
"C:\Users\Admin\AppData\Local\Temp\b86f4471af6d142f17537a9d5075197e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\inst259394312\installer\sexyss59.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst259394312\installer\sexyss59.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\inst259394312\installer\sexyss59.exe_tmp.exe

Filesize
2.0MB

MD5
aabc2bbc97e9cb7c85f5bb3d37ebd3d3

SHA1
cda4982eb153462aa7df2c63c78f73710370b7a2

SHA256
89a934a6eb7041b060a75553f29dfca2ba0326f7a7112765c0d985f631ea1b57

SHA512
7bdda69bcca41ce8b275010fcefd68ca82dbd4ecd3795b449cb0618129ae8a475208ef411fe9e9aa6ac5656a7f98afada04aeecb5780e525100ec1ad0cf743b2

Download Submit