Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
c3e4e9a2ecff15bd28f087dbc7d172cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c3e4e9a2ecff15bd28f087dbc7d172cb.exe
Resource
win10v2004-20240226-en
General
-
Target
c3e4e9a2ecff15bd28f087dbc7d172cb.exe
-
Size
1.8MB
-
MD5
c3e4e9a2ecff15bd28f087dbc7d172cb
-
SHA1
1db41f320cb65d00c44c98aa7fc8e78e09faf774
-
SHA256
fd51b287a2d39b2a4c8204181912b1a6c6a2da3279e02607a91924e06e4ade72
-
SHA512
ae559319f1c9b6b582d18abb58c2443f61d8943e8a8efb6eb4d1e75426f1dfc7c2b72ed85affaf5d51d8759e8fdafc8a566983ad9114f5aa55bcb5b633150e11
-
SSDEEP
49152:nKP7kH9gaZYsSNFMGFGisdTrfJ52M/XMV4raxi:Kj09xYLFMGFLmv32M/XMV1xi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1880 c3e4e9a2ecff15bd28f087dbc7d172cb.tmp -
Loads dropped DLL 4 IoCs
pid Process 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 1880 c3e4e9a2ecff15bd28f087dbc7d172cb.tmp 1880 c3e4e9a2ecff15bd28f087dbc7d172cb.tmp 1880 c3e4e9a2ecff15bd28f087dbc7d172cb.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1880 c3e4e9a2ecff15bd28f087dbc7d172cb.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28 PID 2000 wrote to memory of 1880 2000 c3e4e9a2ecff15bd28f087dbc7d172cb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e4e9a2ecff15bd28f087dbc7d172cb.exe"C:\Users\Admin\AppData\Local\Temp\c3e4e9a2ecff15bd28f087dbc7d172cb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\is-U8KPL.tmp\c3e4e9a2ecff15bd28f087dbc7d172cb.tmp"C:\Users\Admin\AppData\Local\Temp\is-U8KPL.tmp\c3e4e9a2ecff15bd28f087dbc7d172cb.tmp" /SL5="$400F4,1556339,140800,C:\Users\Admin\AppData\Local\Temp\c3e4e9a2ecff15bd28f087dbc7d172cb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.1MB
MD5a4cb46c715d6e7b72755eab92123a3ea
SHA11e769da1816daae7d50c8812c59ee20399431a2d
SHA256686699d59606cd7d2253dff2c92003380361f00b168305e959e66bab9bc725c0
SHA5128bdce037441eb0ed6aa5fdf7569580b32dd5294b6b4a36a054552e5b46fcbba328b659f2277d3a75d23d9ead64a28d3db2fe49c0b1c13e6d799490ce6509ab1b