164c37c9cc66c9abe43628e2682568e5dc48def96bc4b07bec1c4847c8def20b

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d616498757ea6043385a70ae4706ebf6.exe
Size

38KB
MD5

d616498757ea6043385a70ae4706ebf6
SHA1

a9b9676b1945749a6a8c5932daa304a7152d4cff
SHA256

164c37c9cc66c9abe43628e2682568e5dc48def96bc4b07bec1c4847c8def20b
SHA512

6609763387bd09aec42854802d5c356d248589d1d9bd0116eda6be16cc5c992c814c70af67d6e26018ac0119736255b43ac61ee98f5e76499ae2380011cce13a
SSDEEP

768:iiQxqcQk/6njT96eWETcxU2po57Zqk8JMDDT/xmnHZ1:lQxqcQykkbETczk8efsv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	JAVAXP.EXE

Loads dropped DLL 2 IoCs

pid	Process
1720	d616498757ea6043385a70ae4706ebf6.exe
1720	d616498757ea6043385a70ae4706ebf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1704	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1136	1720	d616498757ea6043385a70ae4706ebf6.exe	29
PID 1720 wrote to memory of 1136	1720	d616498757ea6043385a70ae4706ebf6.exe	29
PID 1720 wrote to memory of 1136	1720	d616498757ea6043385a70ae4706ebf6.exe	29
PID 1720 wrote to memory of 1136	1720	d616498757ea6043385a70ae4706ebf6.exe	29

C:\Users\Admin\AppData\Local\Temp\d616498757ea6043385a70ae4706ebf6.exe
"C:\Users\Admin\AppData\Local\Temp\d616498757ea6043385a70ae4706ebf6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\JAVAXP.EXE
  "C:\Users\Admin\AppData\Local\Temp\JAVAXP.EXE"
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GE796802.JPG

Filesize
13KB

MD5
b7ff15ae5e687ca81d76271c5c1493cb

SHA1
6886d1139962209d9a89d4c49271b23975a8192b

SHA256
19f73adf82ac52b6925b0b0a219492a07b2858f1866f46ef8f8d03a109f410d5

SHA512
7d141806cb5aa02ba40843e5805951c45fb3ccf6d7784596b9b7a3f5c3915b929e9e34998d245907d4657f7d28334de3ab9a9443737914cb941629fe93d2a90e

Download Submit
\Users\Admin\AppData\Local\Temp\JAVAXP.EXE

Filesize
10KB

MD5
84dbed709a2782f8b6948bc421d7d1ae

SHA1
5771bc4b5636c4e2d0023cc18fefa4860ea845c7

SHA256
694ae3bc1dae058618eb21320d94d0d141a9356c26204f320f14969674338bda

SHA512
7ae6a0d2b7c2f1f6aebb968791161d2fbc066ca61d1a8b880928bbd26a1cc2d128c2d67f08d9ec640bd2160bda8e1d663cb46b8de46a6438582c50cfd8e1c496

Download Submit
memory/1704-2-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1704-5-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1704-16-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x00000000026B0000-0x00000000026B2000-memory.dmp

Filesize
8KB

Download
memory/1720-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download