e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe
Size

1.2MB
MD5

8b7683555bb9612f81b64eaac823584b
SHA1

392159dc8a239e00f443113f3e1b0d070de517bc
SHA256

e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058
SHA512

3c9335d78e00133dbfc4bd886c9957d169c1a6af7fc817de6ea72cb591e9b029cea68cb54846db9d9a9c5b0286a7ad6b9245038aa6ad84baceb2dd5ee9550777
SSDEEP

12288:VcYzRDRnPY6Le+AuY0DdIILwqLtxUlwHj4KubIoIgP:VcYl3Le+AULxtGlcJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	sfxA737.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe
1912	sfxA737.tmp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28
PID 2220 wrote to memory of 1912	2220	e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe	28

C:\Users\Admin\AppData\Local\Temp\e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe
"C:\Users\Admin\AppData\Local\Temp\e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
1.2MB

MD5
8b7683555bb9612f81b64eaac823584b

SHA1
392159dc8a239e00f443113f3e1b0d070de517bc

SHA256
e0754cc76d7cfc1a2adef131f71f9a47d2fb66de3894b9ff194273c49683f058

SHA512
3c9335d78e00133dbfc4bd886c9957d169c1a6af7fc817de6ea72cb591e9b029cea68cb54846db9d9a9c5b0286a7ad6b9245038aa6ad84baceb2dd5ee9550777

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
256KB

MD5
11923991a41530732e5d953d15402d11

SHA1
44c312858dd7103d5660454390c35336a766fce2

SHA256
6626456984f32286ecf02b7733e65fe74bf8fd475ea71503c0da64d5f36f3e47

SHA512
af4a9c096526f6290533a9f63729bdf93e41c34a2b11631ce43294f342f781383c02d2eb9ee17025f3495b847cb6a720dd0cd642a883d3e8d2a764d35fedf5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
347KB

MD5
d488e0cdb2ab3e2db4bd81b6cba8ce3c

SHA1
35040a703eaad970e96fb8a26fbb0e14ca3b38b4

SHA256
d90e0ff12c4da1f303ef0c3c2632618406013580ef6dbef9f4a81df0714dc25d

SHA512
79ecda1b4d28a40737df18631d26d2d9ed2ba9a1edf06c0eb83673e364d1ee263d456285c841f6e3c4bf04a9c2cfc44e646ec3015f42b9e9cc5370722311acf4

Download Submit
\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
394KB

MD5
8722e2c745a7903aa83ec03c4e186c1d

SHA1
fa62b22cf729633ebe0760c53cff7b96b331ef34

SHA256
78f27a0eab990d8d21473acdddbffd253518f2bd4659dd35938868ce7c5a2701

SHA512
0186df759bd4c696ef1632d983715a93c36372ab7ebb7c8f2917cc0544c9bd6668cf88b05a7d75680a93758517111b1e9c20064734b08ddb42a1c38afb728ffc

Download Submit
\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
324KB

MD5
a44bb6d4769989071aef585ddc27c2ed

SHA1
68273675e9b1b3593c71e7bc6fa0a72d1f1cb4d1

SHA256
bd290a02d9384dc258723a92892b6758fdfc9f7534af116cffd6df1d67dd431e

SHA512
0380063cab9d930c6fcaec54862f1ba66010f161d1f8ecedbe446c721479eaec8872d48ad54044d19122aa90072b2737c83d91b7237f7c556c17bbd87b4c38de

Download Submit
\Users\Admin\AppData\Local\Temp\sfxA737.tmp.exe

Filesize
384KB

MD5
9d4df7aa5c4a1cee59daa7d4d1d9255c

SHA1
9438ac26d168f4ce175afabf05eb42d6db3acfa5

SHA256
e6400da4e127197a46921a6bdc4a71aaa7aaebef26ae064769a1a694652a373f

SHA512
4ef078e7b863d3b11364c610020355a2dcf4f6e022e921012ffdb030cf60105f6ff5cc562986b551f228968fdcfc051dac9976e4f58d5b638ce3f1e57c147a1b

Download Submit