Analysis

  • max time kernel
    28s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 21:50

General

  • Target

    26ba598d7c79e6a299bb2b602ab72ee1.exe

  • Size

    357KB

  • MD5

    26ba598d7c79e6a299bb2b602ab72ee1

  • SHA1

    5a1e1610e1938a437a8169abe42b9f856e4a3a5f

  • SHA256

    acda34030efcb06301ba2ab80e6b2114f887bafd2dc107d0a72373f5039a16ce

  • SHA512

    6be20ef9218e416b178424348dd18948918be712c2c65330be4c4322845793bc984461373f4962c2a42d1567e4cda8c977dcae2da2916880233ccd8b732a23aa

  • SSDEEP

    6144:wlj7cMnC+OEXJzIhO6fuw24+LhiW+cK3k7UcfPGdNK8eC6El8yihVBZR:wlbC+VL6SLh63/cXG3lgR

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26ba598d7c79e6a299bb2b602ab72ee1.exe
    "C:\Users\Admin\AppData\Local\Temp\26ba598d7c79e6a299bb2b602ab72ee1.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4760
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev322C.tmp!C:\Users\Admin\AppData\Local\Temp\26ba598d7c79e6a299bb2b602ab72ee1.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Users\Admin\AppData\Local\Temp\26BA598D7C79E6A299BB2B602AB72EE1.EXE
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    80KB

    MD5

    dd68dc1f2acb8d56535514be222da2e9

    SHA1

    f8b48112bb5bff4d77e705ce05aa0f2dcb80c904

    SHA256

    38137371838a2b2704b823ed0fb8d6bb1d9cca9fc7da334535942ab1d489eb09

    SHA512

    2ebe2ea143735b014f5fced08a95a3e64a6c54a293a818a0d39555a31ea8d940b28ce9a6937f3d4d6cd449b849d5a1e8a645603c2571260bd6996bdb050bcb8a

  • C:\Windows\dev322C.tmp

    Filesize

    277KB

    MD5

    65a9495a436f5402bc1c467e1b926c27

    SHA1

    587f7e2ed04dca2f4dbe84d90afd0c223f52b1cd

    SHA256

    f697d5b221ddfd2ffbecaf8cca252701ab976cf8cbb74ce0238ef336093327a8

    SHA512

    bbdfe27445e7ec6eb4799c8b0229a81a660439a0c97fab092fbf26b2ec03f94844eb05f38c2df8ce455dd02df7c7e76db4970b8b3a5235387c3ae99327b7029f

  • memory/3688-11-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4760-9-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4760-15-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4880-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4880-8-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB