b33f409b98c2d3ca57d7cb5acb00cd641b4181329ea2eb0d8a986bab63d052e1

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 02:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3004	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2820	$_3_.exe
2820	$_3_.exe
2820	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 844	2820	$_3_.exe	30
PID 2820 wrote to memory of 844	2820	$_3_.exe	30
PID 2820 wrote to memory of 844	2820	$_3_.exe	30
PID 2820 wrote to memory of 844	2820	$_3_.exe	30
PID 844 wrote to memory of 3004	844	cmd.exe	32
PID 844 wrote to memory of 3004	844	cmd.exe	32
PID 844 wrote to memory of 3004	844	cmd.exe	32
PID 844 wrote to memory of 3004	844	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3834.bat" "C:\Users\Admin\AppData\Local\Temp\D947E74BBAA243099365FE574715C5A6\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\$ICDL377

Filesize
544B

MD5
6cc5edf0d9fbabf0af73cc9f92536336

SHA1
ace68d76e8ff508048130d8f8d91f1988cc6f161

SHA256
7b0a718ff49c52dfc8f7a24ca85156de2cae48c174942c48ed93cd19f2c6198e

SHA512
1fb10d5955c8fb972ec68c9d9d49abda97c4408fd12330f2df9146ec4ddc665037e5cfd6567045dcd6be5bafc9a03f7ba6b3ede5a03f454ccd277b4fb8bf4dc0

Download Submit
C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\$IN0D2ZW

Filesize
544B

MD5
575750592d8dc46839c8e05d6b7aec44

SHA1
0806cd82edb77babb327f1d4d609ce6737a89d4d

SHA256
3918ca2708677fb64d292e61e9e1e4773aee4721e76f31113a225de9237d9f16

SHA512
788a76d2d9a6aca57675d4abf9af9bedf333ae3c5cea372a54ca11e682176a208155ea83f00621dce7a1a997d056f0f41cfdb083f83a3ec5360223ac4e6b4d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3834.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D947E74BBAA243099365FE574715C5A6\D947E74BBAA243099365FE574715C5A6_LogFile.txt

Filesize
4KB

MD5
c1004fca3225d463f15ea296dc7ed5f9

SHA1
06caec6ca197e3f7a8a37d24bb1b60f1699ec16e

SHA256
3ffab47fca08727e8afaa9b7092c7eace077eb50c6e178734001cf9ea8f725e7

SHA512
d6529bcf6b22c6e0f0a88441827ab6c02f0449e6863494fff96f74bd4f56010720ec38008d14027a7b075e9789b6d9784fd5072a6869821da379e2c8599c21b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D947E74BBAA243099365FE574715C5A6\D947E74BBAA243099365FE574715C5A6_LogFile.txt

Filesize
2KB

MD5
beb3a378767e5f1979c560d4b688806f

SHA1
c3f75369115524f632b6e2fb0d7fbf4b97545321

SHA256
40c7436772d1ea2f35777d3384ac1353119e4d171dc249c916d5e8c26f48ad36

SHA512
fc646cf7e40f37a3997b0c2a9516b678afb4685abedcb644e2552cbdcf46129da7193a74cfb7c56bc022905539ac03b3d7e2e75c9ec9c514430650fea25b8505

Download Submit
C:\Users\Admin\AppData\Local\Temp\D947E74BBAA243099365FE574715C5A6\D947E7~1.TXT

Filesize
26KB

MD5
e001ebb99c2752ab0de67abe67e2059d

SHA1
5a73650336ba238b37fac2c9f86a65df47ebed11

SHA256
181d41aac343105af69de8820808fc4f6b147449eb247cbaf0f4e78bdac013fe

SHA512
fe05559cd7bbc3d288797f67b8cbb6d6d633d3f500751e20bbaa78bf64e9fbf78d71c670253cb7146f0801ba9ec4ec2b38698b48f836415626bdea1e3d7fb82e

Download Submit
memory/2820-67-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2820-179-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download