425f5c826645a86557fabfebd932f9baf59f6bfcd65fed2110eb5311e6f9c7e7

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c265062f9012942efb4cc71431c3252c.exe
Size

54KB
MD5

c265062f9012942efb4cc71431c3252c
SHA1

63b73f6c6648fb5aa3b331580b9d7bd9bfadcda8
SHA256

425f5c826645a86557fabfebd932f9baf59f6bfcd65fed2110eb5311e6f9c7e7
SHA512

692d137740520d3354ddd81f3019b5716ba345d091f3be34464ebd1c9da458244a4ece326ca363823dcaa2a305ad10b1ccb8d0fb60e9858bda0fed88c855d742
SSDEEP

768:yeJV08uVsgHgUDpiCqFYVO+1WlC1uxEtYk9cPWfuQdiHIWrwnvXv0wWE:LaCQDDpiC4uO+1lcytyPWfutwnEwWE

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1272	1704	c265062f9012942efb4cc71431c3252c.exe	31
PID 1704 wrote to memory of 1272	1704	c265062f9012942efb4cc71431c3252c.exe	31
PID 1704 wrote to memory of 1272	1704	c265062f9012942efb4cc71431c3252c.exe	31
PID 1704 wrote to memory of 1272	1704	c265062f9012942efb4cc71431c3252c.exe	31

C:\Users\Admin\AppData\Local\Temp\c265062f9012942efb4cc71431c3252c.exe
"C:\Users\Admin\AppData\Local\Temp\c265062f9012942efb4cc71431c3252c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\f_Mk_m_206.bat" "
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    PID:2504
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
858B

MD5
d727e34e3f5eb5ee1ce17fe4c66bf617

SHA1
ea796e8b305510775d244f30758e125a01569626

SHA256
d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d

SHA512
ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f_Mk_m_206.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
6d11d2a05e76338b23e505f2989c43d3

SHA1
794748d878a88fd38345b667069da8a77308f79a

SHA256
a4259c57a8824a89859bfa60fc9414fb9e83c7b74ddad19c5e44e6dbe08362a6

SHA512
81acdadf4ef0fc14b7558ffda33650dd4a1bd7ea2de6c815c7f5a13be0c84c1e6507e8ee75e3d6188728f6720d169a42e8d1f1bf0b224282bad1c772a1aa85d0

Download Submit
memory/1704-0-0x0000000000C20000-0x0000000000C45000-memory.dmp

Filesize
148KB

Download
memory/1704-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1704-5-0x0000000000C20000-0x0000000000C45000-memory.dmp

Filesize
148KB

Download
memory/1704-7-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1704-38-0x0000000000C10000-0x0000000000C1E000-memory.dmp

Filesize
56KB

Download
memory/2264-57-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download