eed7016ab67bc884ac7015f7e39353aea74d4fc66c97f4cb81fef688f407ef89

Analysis

max time kernel
127s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd8bb3ec79c567ba99d526f2c48b8a1a.exe
Size

20KB
MD5

cd8bb3ec79c567ba99d526f2c48b8a1a
SHA1

6c4ccaa9b52142282c4bcca471218930d8cd375a
SHA256

eed7016ab67bc884ac7015f7e39353aea74d4fc66c97f4cb81fef688f407ef89
SHA512

a0ea7e4a1675d42e64cbb8616fd53e1fc77a10e9d094bdd9b4e6a24e24f3344db2523b3136ec6c4ce43c5687ad373c14553bff27a98792502dfe8d3d9337e94b
SSDEEP

384:nWn9PMRxJYeDWj66R04oNCCrsEajK3tQV/w7ct8EItKIe+ulnfWjvOeo:nEWJYeDY66qk/ItQ27ctot5ebln

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
528	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID	cd8bb3ec79c567ba99d526f2c48b8a1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl	cd8bb3ec79c567ba99d526f2c48b8a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	cd8bb3ec79c567ba99d526f2c48b8a1a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2840	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	28
PID 1692 wrote to memory of 2840	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	28
PID 1692 wrote to memory of 2840	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	28
PID 1692 wrote to memory of 2840	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	28
PID 1692 wrote to memory of 528	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	32
PID 1692 wrote to memory of 528	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	32
PID 1692 wrote to memory of 528	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	32
PID 1692 wrote to memory of 528	1692	cd8bb3ec79c567ba99d526f2c48b8a1a.exe	32

C:\Users\Admin\AppData\Local\Temp\cd8bb3ec79c567ba99d526f2c48b8a1a.exe
"C:\Users\Admin\AppData\Local\Temp\cd8bb3ec79c567ba99d526f2c48b8a1a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "
  2⤵
  - Deletes itself
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awer0.bat

Filesize
274B

MD5
af383d8e9fbe189f9c81b66be52b89f3

SHA1
764728a495ebda06451878621495fb3359fbb4f9

SHA256
3032986b6dd0c1cbbbbc70f9df2eefba4042ab61fe579d29f4f26d12a61a9fa8

SHA512
3c8f333362e3092f311cbd0fb77d2e241b549c1eaf8f8edc1136a12625dbb07f981e40db0a74bb319b2176e76310ddd2b1bb261b7e4b203f64b23b7194137caf

Download Submit