1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 17:45

Target

1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
Size

282KB
MD5

a5c13fe220b2cfd599a8da9e36a64acb
SHA1

5a2fd78e94bdff297f30fa4a8981a3441163f51c
SHA256

1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19
SHA512

42f51f22b8b185e1a60ca406f0fd1c7481aa7e53da6ba4d460fe908bc4ab01bace4f85a4f53a2103fbe3622c096d74b86c0bd401a30224a980ce1d559139c6fc
SSDEEP

6144:lwJYAKyUpbrLdn/lHYz6sSWkEjiPISUOgW9X+hOGzC/:lw/KlpvllHYzkmZzcukG2/

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3056	IRVJTZT.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\IRVJTZT.exe	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
File opened for modification	C:\windows\SysWOW64\IRVJTZT.exe	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
File created	C:\windows\SysWOW64\IRVJTZT.exe.bat	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
3056	IRVJTZT.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe
3056	IRVJTZT.exe
3056	IRVJTZT.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2772	2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe	28
PID 2684 wrote to memory of 2772	2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe	28
PID 2684 wrote to memory of 2772	2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe	28
PID 2684 wrote to memory of 2772	2684	1120bc579e0379a568b5aeda99add986150e58ff8abb514dc1484b1f4c335e19.exe	28
PID 2772 wrote to memory of 3056	2772	cmd.exe	30
PID 2772 wrote to memory of 3056	2772	cmd.exe	30
PID 2772 wrote to memory of 3056	2772	cmd.exe	30
PID 2772 wrote to memory of 3056	2772	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\IRVJTZT.exe.bat

Filesize
78B

MD5
d8731055a0d77e2776405c9c3ac6d3e3

SHA1
0f7272971c59b3010f9f7354cce1122502a339b6

SHA256
e49b6b8f79c6149436d59ddb3710f1b87aa0463b263997137ada0c1892afd07d

SHA512
6d7dfd092c7975b67855b2f57ff0e49678e3c96cde4dedbce1aa4d663007cb647b9cd3f9bd637ecffcc78083f4378676c49f1f6baa17891a0ea21fb8ca91639b

Download Submit
\Windows\SysWOW64\IRVJTZT.exe

Filesize
282KB

MD5
1b70ad8be793ac0989517afb13de09d9

SHA1
96253221f2d21ded4aca51582cbd36df18f95af0

SHA256
cf51926dab9c042716056fc291676e51d93795047b9cca9fd2bf1922d2efab5b

SHA512
195e06f335dfa195b65b061207a5f8827746da6f6a3fa2efe57f3664b566f91edbda91f8f1eff8a112fa3a0ae436dd1686d9735e4d29efc401ba5f192c19767b

Download Submit
memory/2684-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2684-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2772-18-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2772-19-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/3056-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download