c835694df4fb2481f24ac50ff45064cc524c74d0909c92fa559fde47cac0a521

Analysis

max time kernel
15s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 01:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66c75fc5b8ab4039e82a26dad24bb8a4.exe
Size

26KB
MD5

66c75fc5b8ab4039e82a26dad24bb8a4
SHA1

9d00d6aa5de8e71c1a1ec7aa5a9ae1141e390c36
SHA256

c835694df4fb2481f24ac50ff45064cc524c74d0909c92fa559fde47cac0a521
SHA512

36793da26f0f54832fd138dcfe08a08c9512d67b59cf6c907aca4a74fee5e8fabd25c703f26bffebc09a162a0072c74d3e3cb264a10bb5e19713e2f7f95f04be
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zznun:b/yC4GyNM01GuQMNXun

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe
2936	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2936	2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe	28
PID 2488 wrote to memory of 2936	2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe	28
PID 2488 wrote to memory of 2936	2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe	28
PID 2488 wrote to memory of 2936	2488	66c75fc5b8ab4039e82a26dad24bb8a4.exe	28

C:\Users\Admin\AppData\Local\Temp\66c75fc5b8ab4039e82a26dad24bb8a4.exe
"C:\Users\Admin\AppData\Local\Temp\66c75fc5b8ab4039e82a26dad24bb8a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
26KB

MD5
7a6e8b02e93b43b2c4b1d408d7cb1031

SHA1
c8b153a2fe542867fadef22ca08de872de679a1b

SHA256
795e4de178dfa8811bd08218acd98b52a465f62a7f1ff710131dff65e66de304

SHA512
6e06012e4df724f1711ab6d3201918de24a72093002c3b5fad4f701bdb69d7aa306203e9ce2b082bc36ef7dee0428676a6c8d26883c43f3b0af3b948b94c931c

Download Submit
memory/2488-0-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2488-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2488-2-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2936-17-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download