17c22edab268d6fabdf78f6632adbedfb4dfa9056a3aa5d2c9a4dde1bc31e779

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 23:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc8003135c63d5c3409815a07feca2b9.exe
Size

20KB
MD5

cc8003135c63d5c3409815a07feca2b9
SHA1

3995a78b6663a69ab22504fd900b18f314993107
SHA256

17c22edab268d6fabdf78f6632adbedfb4dfa9056a3aa5d2c9a4dde1bc31e779
SHA512

8edfdc2867803017570db88dfe2b564bfe23ac4d89893a38c652a375676ab5126e85856dfcf87a5ce57b46d0c8b413acc58db76880ae3e1c264ca19f91342133
SSDEEP

192:N8V86Esiq71WpX4WmebVXqdnIn05gD9C5hqBlw/xyUSmC6468eOtFlH+lzmhIONc:OG4TebV6dbuoh1kX681FN68q+6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1324	quip.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	cc8003135c63d5c3409815a07feca2b9.exe
1148	cc8003135c63d5c3409815a07feca2b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1324	1148	cc8003135c63d5c3409815a07feca2b9.exe	28
PID 1148 wrote to memory of 1324	1148	cc8003135c63d5c3409815a07feca2b9.exe	28
PID 1148 wrote to memory of 1324	1148	cc8003135c63d5c3409815a07feca2b9.exe	28
PID 1148 wrote to memory of 1324	1148	cc8003135c63d5c3409815a07feca2b9.exe	28

C:\Users\Admin\AppData\Local\Temp\cc8003135c63d5c3409815a07feca2b9.exe
"C:\Users\Admin\AppData\Local\Temp\cc8003135c63d5c3409815a07feca2b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\quip.exe
  "C:\Users\Admin\AppData\Local\Temp\quip.exe"
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2092.tmp

Filesize
158KB

MD5
0343677a91631c6fddf3d867ba83de7c

SHA1
102db385f6f22b264f6bb727ca5a40a78168ca86

SHA256
acb185d2dea4198accf3ce8479ec295cb14523724ae55defce60886dd19abd83

SHA512
d6a59acbf4567347644a1aeaaeaad450ac6786bb864bbfae20fbbbdc927c3d6d5cf325b54a4962a4816c3596f174f64e070f19d27579d4dfdbbdad4153b8c0f5

Download Submit
\Users\Admin\AppData\Local\Temp\quip.exe

Filesize
20KB

MD5
8edf6d01bb322cf0360be31e3afc8bf2

SHA1
c9cfed0747d6bc32c8715905eff901f8dffe8168

SHA256
71cfcd2069a0ab18dc0674a99754c374f87bc092bbef3572f144df97db9fcd6c

SHA512
e378b0493e14070bcdcd33fbc1d0e23ff9e6082e8e560288a80dcd61354c66e29d31e8730901a5bef89659d8bd15c75ce6c80ab1d0e19159e8e602bd36ff67d0

Download Submit
memory/1148-0-0x0000000000DB0000-0x0000000000DB7000-memory.dmp

Filesize
28KB

Download
memory/1148-10-0x0000000000DB0000-0x0000000000DB7000-memory.dmp

Filesize
28KB

Download
memory/1148-5-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/1324-13-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download