14cf777abeedcd9f116f1aeb6362c8d0abb004f4eeb3f28e6e47280519637b2c

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

medik.exe
Size

6.6MB
MD5

45c163021aafe7b454f7073710421955
SHA1

6142c967c2f1e73e51c5e90ba186a039b48f55ef
SHA256

46492e53f8e69a56b5ddc9d9df7f2d0d1a87305760d46cec0ceda87292dcc56e
SHA512

b84f7554d2341e4136a4ed337c76ee81564dc96307e69edbd66d000082047d4a7a85178a2d945cb8225918a6478a42c936fa5291ee0c0883f62a3a3e8fa7028a
SSDEEP

196608:aqjSKal0puPbvAxA1A9GiyQTt5PKcIIqyT4o1c:aqjSrYuDoxwAjySt1KcIpys1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1288	medik.exe
1288	medik.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1288	medik.exe
1288	medik.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe
1288	medik.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2720	1288	medik.exe	28
PID 1288 wrote to memory of 2720	1288	medik.exe	28
PID 1288 wrote to memory of 2720	1288	medik.exe	28
PID 1288 wrote to memory of 2720	1288	medik.exe	28

C:\Users\Admin\AppData\Local\Temp\medik.exe
"C:\Users\Admin\AppData\Local\Temp\medik.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-0-0x0000000000400000-0x0000000002525000-memory.dmp

Filesize
33.1MB

Download
memory/1288-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1288-3-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1288-7-0x0000000000400000-0x0000000002525000-memory.dmp

Filesize
33.1MB

Download
memory/1288-8-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/1288-9-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/1288-12-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/1288-13-0x0000000000400000-0x0000000002525000-memory.dmp

Filesize
33.1MB

Download
memory/1288-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1288-16-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1288-19-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download