323a5dcb85584db08239b6005233aa0dc45120297976bce11c9c3d3369b41805

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d607a936aadee27e925b98c7aa3761df.exe
Size

15KB
MD5

d607a936aadee27e925b98c7aa3761df
SHA1

a0dc8e928e654e381a06682a9a8e5815e91eb3b4
SHA256

323a5dcb85584db08239b6005233aa0dc45120297976bce11c9c3d3369b41805
SHA512

7d54a068f8403435b601610112d8eb6c7516e6f4bc2f5962cd8c9a57b76ce0fb17f46817392d20b604b6aec13ecd37f7efc9da2e24c523192c1cfcb81aab03c9
SSDEEP

384:oHpTYD2/+MxOTrLapEwfOhbmSCAQdAIl9Gx8aJZLB6:cTX/+Mx2ipXBSCPdfrMtr

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	archive.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	d607a936aadee27e925b98c7aa3761df.exe
2924	d607a936aadee27e925b98c7aa3761df.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Archive = "C:\\Program Files (x86)\\Archive\\archive.exe"	archive.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Archive\archive.exe	d607a936aadee27e925b98c7aa3761df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3028	2924	d607a936aadee27e925b98c7aa3761df.exe	28
PID 2924 wrote to memory of 3028	2924	d607a936aadee27e925b98c7aa3761df.exe	28
PID 2924 wrote to memory of 3028	2924	d607a936aadee27e925b98c7aa3761df.exe	28
PID 2924 wrote to memory of 3028	2924	d607a936aadee27e925b98c7aa3761df.exe	28

C:\Users\Admin\AppData\Local\Temp\d607a936aadee27e925b98c7aa3761df.exe
"C:\Users\Admin\AppData\Local\Temp\d607a936aadee27e925b98c7aa3761df.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Archive\archive.exe
  "C:\Program Files (x86)\Archive\archive.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Archive\archive.exe

Filesize
15KB

MD5
d607a936aadee27e925b98c7aa3761df

SHA1
a0dc8e928e654e381a06682a9a8e5815e91eb3b4

SHA256
323a5dcb85584db08239b6005233aa0dc45120297976bce11c9c3d3369b41805

SHA512
7d54a068f8403435b601610112d8eb6c7516e6f4bc2f5962cd8c9a57b76ce0fb17f46817392d20b604b6aec13ecd37f7efc9da2e24c523192c1cfcb81aab03c9

Download Submit
memory/2924-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3028-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads