945830220e26b7d6c036ab040642f3f06031f5ec67e228ac6d405d031e92e262

Analysis

max time kernel
141s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2427555fce119fb4dc42eca0e555280.exe
Size

3.6MB
MD5

e2427555fce119fb4dc42eca0e555280
SHA1

96e261c7a9a365b986cd0640568626aa03822f6e
SHA256

945830220e26b7d6c036ab040642f3f06031f5ec67e228ac6d405d031e92e262
SHA512

e619d02b9e83e4f557db34f1d26174bfe836a6b2dc4cc362b7a922f60f9eccb2a9101f9fe9c1c263474a4e5997a31b8bd39c0e67e789a2b6c2691241845cde43
SSDEEP

98304:4TQvh7n/AxjrqGK7nYAmKUIMADGpnzOGKzt/Hni:d7n/AYYiU5ADG9Cd/Hni

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1852	e2427555fce119fb4dc42eca0e555280.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1852	2844	e2427555fce119fb4dc42eca0e555280.exe	86
PID 2844 wrote to memory of 1852	2844	e2427555fce119fb4dc42eca0e555280.exe	86
PID 2844 wrote to memory of 1852	2844	e2427555fce119fb4dc42eca0e555280.exe	86

C:\Users\Admin\AppData\Local\Temp\e2427555fce119fb4dc42eca0e555280.exe
"C:\Users\Admin\AppData\Local\Temp\e2427555fce119fb4dc42eca0e555280.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\is-SA8V7.tmp\e2427555fce119fb4dc42eca0e555280.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SA8V7.tmp\e2427555fce119fb4dc42eca0e555280.tmp" /SL5="$50232,3567194,53248,C:\Users\Admin\AppData\Local\Temp\e2427555fce119fb4dc42eca0e555280.exe"
  2⤵
  - Executes dropped EXE
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SA8V7.tmp\e2427555fce119fb4dc42eca0e555280.tmp

Filesize
671KB

MD5
acec08a952e0b9a24afe1f95bb335e11

SHA1
edd75d5928d96c0eddae2fc88bc52787357acc46

SHA256
52976fc5d14c217b0b50f4c95e81cd82494430035d15bbcd586303f6b5f63b44

SHA512
93b3a2964857e0cb3ef4425a33279b16f7a914d1ce585406141f81680ce9a469f41c4199cfc3acaf0246a4d978dcbf22bfa68978217054c9b04b93b8280716a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SA8V7.tmp\e2427555fce119fb4dc42eca0e555280.tmp

Filesize
149KB

MD5
008091744f812fdae74b9b5bc79a8154

SHA1
7f4ac83b140bc415b39b6f9a8d4c9feeca9b4305

SHA256
5c14453e6c9448fe82bb731385c191d28c6d2286f1e1896ea99642e268147a6b

SHA512
ddec06e046a48fd156b2622bf770397831670c379cb4c407517f9742f9f0e33bf79c366e68034b7589eb714f400018a4b79a4258df27f4f8f1c21d7e43d07e6c

Download Submit
memory/1852-8-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1852-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1852-17-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2844-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2844-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2844-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download