d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe
Size

232KB
MD5

601282dc4e45fa953a87fe49d6930059
SHA1

54ca96e2da0f04a1865fd122bd7d7d2213ebb149
SHA256

d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d
SHA512

3114203c32784cfbae140dc81b1815f16333b732bbaa0aadd7616be28ef11f1ab0d58ee982a59462224be998c01febd94d4bba61c8a6f8bb645deaf873a143ea
SSDEEP

6144:yYASJKenie2xT2NU2OTFQb8Fb0IQUfFmn:yk5nilTFQbI0v+o

Score

9^/10

Malware Config

Signatures

Detects executables packed with aPLib. 2 IoCs

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000A60000-0x0000000000A8F000-memory.dmp	INDICATOR_EXE_Packed_aPLib
behavioral1/memory/2952-17-0x0000000000A60000-0x0000000000A8F000-memory.dmp	INDICATOR_EXE_Packed_aPLib

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28
PID 2952 wrote to memory of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28
PID 2952 wrote to memory of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28
PID 2952 wrote to memory of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28
PID 2952 wrote to memory of 2624	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	28
PID 2952 wrote to memory of 2568	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	29
PID 2952 wrote to memory of 2568	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	29
PID 2952 wrote to memory of 2568	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	29
PID 2952 wrote to memory of 2568	2952	d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe	29

C:\Users\Admin\AppData\Local\Temp\d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe
"C:\Users\Admin\AppData\Local\Temp\d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\svchost.exe
  C:\ProgramData\b84jj2bb66.exe
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\yiw8A3.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\d9262966df4b28d8ae9c39de4ac7ee5c5106bf7956aa45c60f27e817cee3819d.exe""
  2⤵
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yiw8A3.tmp.bat

Filesize
28B

MD5
2a0ed2ad42bd0143f791b0a12c8da27c

SHA1
564e3c716a23b840524a2a94f5e4cc42378772d2

SHA256
00c502be22683a2cf35304f0644999dc89cb1dcde74d3712d6149be6b143e05c

SHA512
958f411cb256e87ede373d28bee7b711b8a31bc30c24ba9eb0642a818ce8ffeef9b83cad444c881e30c6e84129c00138f71636d2936ae0d29e77b93f153aeb74

Download Submit
memory/2624-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2624-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2952-0-0x0000000000A60000-0x0000000000A8F000-memory.dmp

Filesize
188KB

Download
memory/2952-17-0x0000000000A60000-0x0000000000A8F000-memory.dmp

Filesize
188KB

Download