0c4607e6f1cc4bc8222962319c616f2f9a494805874e8fe7a89f2bbaced11f25 | Triage

Resubmissions

02/04/2024, 23:45

240402-3r1g1shc2y 6

02/06/2023, 16:30

230602-tz5x2acd56 6

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/04/2024, 23:45

Sharing

Report Analysis Logs

General

Target

net.exe
Size

925KB
MD5

eff776dee6b37897f2b727bc9f029470
SHA1

6a17cf16a872e9ed38b88851110e8d87325b0da7
SHA256

0c4607e6f1cc4bc8222962319c616f2f9a494805874e8fe7a89f2bbaced11f25
SHA512

c54ca9d11ddc8948e363a41736e951bbb06ab8632b619077b84244b1c84c5ded144a8eca559ccfcb0364df052b82d8550d5932b9311db93f70548f3429d0d9bb
SSDEEP

24576:NVYE9lqHmnWc9yOAwzO6/IWnbGaT3egp4RGqwfnP:YE9c8y1wbIsz3Bp4RGqwfnP

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2864	1960	net.exe	32
PID 1960 wrote to memory of 2864	1960	net.exe	32
PID 1960 wrote to memory of 2864	1960	net.exe	32
PID 1960 wrote to memory of 2864	1960	net.exe	32

C:\Users\Admin\AppData\Local\Temp\net.exe
"C:\Users\Admin\AppData\Local\Temp\net.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KeyForFiles\Key.secret

Filesize
3KB

MD5
0f9f0e01dda305f76cd3555922410df7

SHA1
9503202bc04ebc65dbbb951c0b6364150b898b30

SHA256
f86e01c80bcd9ea02bb0eeb08593b705cfc6b8e82d0611f52c89d72bdaf51cb3

SHA512
3882edbfa1d49da8a6d7e1dadfe59a57906cb04b51795c338f191cb676cda21fe3f03f094617a5c2914c9345017613500eef39709dfc31ddf43a114e3eee96f0

Download Submit