2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe
Size

4.9MB
MD5

b2306ae0dcd36a0d84f954825178d594
SHA1

68f1e3ce4782a242cfcc4fee968b150a3f208bf7
SHA256

2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e
SHA512

4b6826642012c285eb10f530fd490ac4a118cf6a79b05c169936dda90568cace35829a6923da87222d11d7fe03b2cc10a347b9b93e67c6d6e4acb1d54628bf5d
SSDEEP

98304:w3StAYjEtOdVEfrmNNTC2zM9yklTIh5DBWM2UPXY+3C:w3St3dRNUj9rlgeMK

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1784	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe

C:\Users\Admin\AppData\Local\Temp\2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\# DECRYPT FILES BLUESKY #.html

Filesize
1KB

MD5
badb38e227386b9299063992149bc3d6

SHA1
57e2caf49600a86be005ccde009caa134b41ae38

SHA256
3c703cd798aa7f8d7631cbf00bf0d7c095711b6694ed2940ec2a964c1edc3abd

SHA512
4a73fadafb1a0d137f9acc2bd2d4f9e72fbc2ee425b9e4ae0265a875f267a6e4ede7ebb7f5ece310579ebd3a61178afd3d4e9febb0d0bb620ba6ef33459aaeea

Download Submit
C:\Users\Admin\# DECRYPT FILES BLUESKY #.txt

Filesize
985B

MD5
6f49c973b07e0a2d3819a1e9edc6b24d

SHA1
9280deb31d26617783f0660521772aec2058e0a6

SHA256
b866c08a421f9d3200a189d57fd4220d3bb7ea6b660b6e114f92cc8cddc416eb

SHA512
8c63209dae5939ecc52dd8ab955e1f89b7f2466fa7d09b68cc05e5bea7d25deb9338a6b5f589efd9cf81ffaa0d2459d3f1971cf7540791bdfc25cee77f17c99b

Download Submit