53a7a87985d3f7ccbdf9a25631ea2c29f13cc4d15b04514180effca9e6dad5c5

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c70318b45d2e083edc1208cb6609faa9.exe
Size

210KB
MD5

c70318b45d2e083edc1208cb6609faa9
SHA1

9428ea5422b91e70a5dcb2be330ab6c0864ca3cd
SHA256

53a7a87985d3f7ccbdf9a25631ea2c29f13cc4d15b04514180effca9e6dad5c5
SHA512

a378ec0638105d5c0c27284ed75a89768649359cf0119b20c26969e51786725cafb8c28cdc0fc36f788da835f4c9bdb27023d9ddfc2c40c47b43a7ebfeeba471
SSDEEP

3072:E1dlKwgj23+Oz05YoNozCl9v9svvb9rvfnHVggs0tTcZ/S+PLURC08w:E1dlZro5yCTSvz9rvf15LTkfPLURC0t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2556	ok1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\28íÚç	c70318b45d2e083edc1208cb6609faa9.exe
File created	C:\Windows\ok1.exe	c70318b45d2e083edc1208cb6609faa9.exe
File opened for modification	C:\Windows\4.jpg	DllHost.exe
File created	C:\Windows\4.jpg	c70318b45d2e083edc1208cb6609faa9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	ok1.exe
2556	ok1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2556	2092	c70318b45d2e083edc1208cb6609faa9.exe	28
PID 2092 wrote to memory of 2556	2092	c70318b45d2e083edc1208cb6609faa9.exe	28
PID 2092 wrote to memory of 2556	2092	c70318b45d2e083edc1208cb6609faa9.exe	28
PID 2092 wrote to memory of 2556	2092	c70318b45d2e083edc1208cb6609faa9.exe	28
PID 2556 wrote to memory of 1228	2556	ok1.exe	21
PID 2556 wrote to memory of 1228	2556	ok1.exe	21
PID 2556 wrote to memory of 1228	2556	ok1.exe	21
PID 2556 wrote to memory of 1228	2556	ok1.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\c70318b45d2e083edc1208cb6609faa9.exe
  "C:\Users\Admin\AppData\Local\Temp\c70318b45d2e083edc1208cb6609faa9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\WINDOWS\ok1.exe
    "C:\WINDOWS\ok1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2556

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
201B

MD5
49ee440e54cdbad4ad11f8787de88f3b

SHA1
e8c534bbf50c180ad015c4ca835de69edbadb3e6

SHA256
8ed322ce55f240f5d1fc1801bb17fd0454268487819c9032fb814bf729da4db3

SHA512
5c1264549eaae4732509f0b0591cea4512535d0fe4f06a4d39d40ef774d02445997f34282eb1f92b8660740c291744ebcfe335409739acd3ebca0fa61fdbe944

Download Submit
C:\Windows\4.jpg

Filesize
46KB

MD5
cc097576cde6836025cbd1ffad122465

SHA1
8738316d37a2f62570ca7465479971610bd0713d

SHA256
e8e939ff9cbfd5c103b3470f1ed8533791b32374de6148f808fb1b981576e701

SHA512
12f47a77e36f7f76f1802860bbad6c8744682b5179cc95ed798d36870e2e92c3fbe1d2345edca8d147ab7b0d58887aae2cf28d91b2d14a2c0b328cbdcd853ace

Download Submit
C:\Windows\ok1.exe

Filesize
56KB

MD5
606552e17b15862aff4cb1ef7ad3cade

SHA1
5fa6f9a02729d0b310ff5756604e4dd58eea6b10

SHA256
e75e60ef8e839106429e2e41d7877dfabede5878f7686977e429794fdacb240b

SHA512
8e6c49cef60de199ebdb09ec5ca59f40d5d3c93217a2f5937b522e5522b68e4c6ec2fb72c17fe090e4de59bf35c59bf7c767f045058466ea7fd0beb139316a35

Download Submit
memory/1228-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1228-33-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2092-44-0x0000000003350000-0x0000000003352000-memory.dmp

Filesize
8KB

Download
memory/2092-19-0x0000000002100000-0x0000000002109000-memory.dmp

Filesize
36KB

Download
memory/2092-24-0x0000000002100000-0x0000000002109000-memory.dmp

Filesize
36KB

Download
memory/2556-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2556-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2556-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2556-27-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2564-45-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2564-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2564-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download