27f390e6644d236d8c3a0bb2f7d8a2ed1c900ded82113b03e310c17da7948832

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05331f80a8380043725b59f9920a809.exe
Size

961KB
MD5

c05331f80a8380043725b59f9920a809
SHA1

c6e8923eb7a8228c8cda7992173fd061279ef14c
SHA256

27f390e6644d236d8c3a0bb2f7d8a2ed1c900ded82113b03e310c17da7948832
SHA512

c9d76ab059d9579549a2a3aef6452fd891602f0020de90308be1f4e1fa2a80f524e94abacd4236a57a1899c6f8d957043709f994f27e586ebef331ffe518254d
SSDEEP

12288:B6YuF2OPlgCxbUuqEolqhlBG0EZRYx35Ua8wvJfiU3us5NhOblYNTwUkVQ+PYJEt:BDuFhCwUuqDluBMfEhJX3z5mKhwbLe1y

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2172	c05331f80a8380043725b59f9920a809.exe
2172	c05331f80a8380043725b59f9920a809.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	c05331f80a8380043725b59f9920a809.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2684	2172	c05331f80a8380043725b59f9920a809.exe	28
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30
PID 2172 wrote to memory of 2544	2172	c05331f80a8380043725b59f9920a809.exe	30

C:\Users\Admin\AppData\Local\Temp\c05331f80a8380043725b59f9920a809.exe
"C:\Users\Admin\AppData\Local\Temp\c05331f80a8380043725b59f9920a809.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
121B

MD5
df9d448c809963bcba8f679d9c687d9a

SHA1
53e65eecd9aa788483ed7b3186a03da7f09fa306

SHA256
54412660454b9a306a6070a1940177f0c72c8d0d15de569b64b99819bab8a85c

SHA512
a536aa501c36225f979fcae7e89207799b3f356d5d8199d228b2b1e011e175ca41676deb8a995993e5ee32fa185e070b9bf634d50a52d94d5317a33a2b132d7a

Download Submit
\Users\Admin\AppData\Local\Temp\nst14BA.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst14BA.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
memory/2172-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download