898b12dc2998809ab3bad04a9044288d5abcaf595e944478ad62bb3dd0704649

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb2614aaa4ed8d253c07bfedddf90fb4.exe
Size

5KB
MD5

cb2614aaa4ed8d253c07bfedddf90fb4
SHA1

5c1d6a8bc5bcd63f14264245619898193d6300b2
SHA256

898b12dc2998809ab3bad04a9044288d5abcaf595e944478ad62bb3dd0704649
SHA512

e609636fc90d998ae25509ce2d276f6e5102b1d2abcc3e6864a9f58b9341ef9c96b77fb04ba372b0c6eed8f79aaf9d68934ae18cbd21c8925410fdd76842183f
SSDEEP

96:afSW5SFFdVYnkpnpqpSQotQuPZvuxzTTjCoYTAiX2iU0Vxx1p/65ExCqHS8sOIYF:afSW8/ppnxvEjCoYMimiU0Vxx/O+rBG6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1908	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe
2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1908	2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe	28
PID 2208 wrote to memory of 1908	2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe	28
PID 2208 wrote to memory of 1908	2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe	28
PID 2208 wrote to memory of 1908	2208	cb2614aaa4ed8d253c07bfedddf90fb4.exe	28

C:\Users\Admin\AppData\Local\Temp\cb2614aaa4ed8d253c07bfedddf90fb4.exe
"C:\Users\Admin\AppData\Local\Temp\cb2614aaa4ed8d253c07bfedddf90fb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe" C:\Users\Admin\AppData\Local\Temp\cb2614aaa4ed8d253c07bfedddf90fb4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5KB

MD5
cb2614aaa4ed8d253c07bfedddf90fb4

SHA1
5c1d6a8bc5bcd63f14264245619898193d6300b2

SHA256
898b12dc2998809ab3bad04a9044288d5abcaf595e944478ad62bb3dd0704649

SHA512
e609636fc90d998ae25509ce2d276f6e5102b1d2abcc3e6864a9f58b9341ef9c96b77fb04ba372b0c6eed8f79aaf9d68934ae18cbd21c8925410fdd76842183f

Download Submit
memory/1908-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2208-8-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download