bbc0e7d33dbc3c8be9e51db9436cdaa977ce81f2b253a310e0449a7e2278e26c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee990ddd77157f47682f6e236a283c7.exe
Size

30.7MB
MD5

dee990ddd77157f47682f6e236a283c7
SHA1

27503f225422e3303bcf6fb974a6aa4f1c76be81
SHA256

bbc0e7d33dbc3c8be9e51db9436cdaa977ce81f2b253a310e0449a7e2278e26c
SHA512

3f0250d8f590ed2c106f6e35473dec41362c5e7c37d0fe3cea29304fe4fd763b0239f777444b37898f34ae64641886c251bb905e34703fc1f1e732155e23c885
SSDEEP

786432:5SXp/vP8sp7Hzrbls4uSSFzAy5yVBWieyh:EXp/nXbEFd5AVRh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4832	HideAndSecretSetup13532.exe
212	is-TB1R2.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ReflexiveArcade\Channels\20749\Channel.dat	dee990ddd77157f47682f6e236a283c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4832	2992	dee990ddd77157f47682f6e236a283c7.exe	96
PID 2992 wrote to memory of 4832	2992	dee990ddd77157f47682f6e236a283c7.exe	96
PID 2992 wrote to memory of 4832	2992	dee990ddd77157f47682f6e236a283c7.exe	96
PID 4832 wrote to memory of 212	4832	HideAndSecretSetup13532.exe	98
PID 4832 wrote to memory of 212	4832	HideAndSecretSetup13532.exe	98
PID 4832 wrote to memory of 212	4832	HideAndSecretSetup13532.exe	98

C:\Users\Admin\AppData\Local\Temp\dee990ddd77157f47682f6e236a283c7.exe
"C:\Users\Admin\AppData\Local\Temp\dee990ddd77157f47682f6e236a283c7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup13532.exe
  "C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup13532.exe" ""
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\is-S9KR2.tmp\is-TB1R2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S9KR2.tmp\is-TB1R2.tmp" /SL4 $F0028 "C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup13532.exe" 31735501 52224 ""
    3⤵
    - Executes dropped EXE
    PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup13532.exe

Filesize
5.0MB

MD5
aa9be1526ade102495cb90ca9bf27992

SHA1
4cdbd5bc82a934be168341fde6b23cf0eb69e29f

SHA256
2223cd7e1f938ebe82efc2139c188a1262868f5dd10c257cc3eef0484fb187a0

SHA512
dfcc48b9d5581fb272ce20cfd9e124d206c41c4ba29244069d265fba6f5b5e72028acac63ea675239fa5a3ddaf93aa95de3ca5576fff66600d332b33e3c0c781

Download Submit
C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup13532.exe

Filesize
5.7MB

MD5
b36885cf5f2b3027c40cd0dc94e0fbb5

SHA1
0dc8ebe130d2c0fc597652b7369e9b3ad5980645

SHA256
e3b767e7e071e1e6a8b307e253f3b5ac5bef9343c87a3fb35a97b55b2974f14c

SHA512
0cafd05dd82dffb89e6790ae89ed78a3fab068022973b9d772c44eb2e2950600d5335184ebd75f45296f4a543804e8cfad515db3f44956861237e2cce20716ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9KR2.tmp\is-TB1R2.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
memory/212-11-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/212-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/212-21-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4832-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4832-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4832-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download