e23b97f16bb102bae16f14c7d3a4d42124386c2a9052e4464ec5c10bd7697a35

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe
Size

9.2MB
MD5

56543167a8b1731dafeee93e5f2bf479
SHA1

de6722a7ac2976d3ae3780057beb18e461a035b1
SHA256

22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726
SHA512

a0502df2e7c4fc5c4aa0741634b6729e947f367b5eb937e357a52102f52dd88f2706dc7a1c38d8825e168f1ed6097ba4f8c9c7cefee2276c98e948fa61d1e3ab
SSDEEP

196608:LyMd0UMpIFNGxcUN2QnKz7BvFGMIpeHDcoBMtzwDoJp+x:ZdxmqccUlKz71NIp+j4zOoax

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	amady.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe
3052	amady.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3052	2748	22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe	29
PID 2748 wrote to memory of 3052	2748	22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe	29
PID 2748 wrote to memory of 3052	2748	22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe	29

C:\Users\Admin\AppData\Local\Temp\22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe
"C:\Users\Admin\AppData\Local\Temp\22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\onefile_2748_133580492713826000\amady.exe
  "C:\Users\Admin\AppData\Local\Temp\22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2748_133580492713826000\python311.dll

Filesize
5.5MB

MD5
d06da79bfd21bb355dc3e20e17d3776c

SHA1
610712e77f80d2507ffe85129bfeb1ff72fa38bf

SHA256
2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1

SHA512
e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2748_133580492713826000\amady.exe

Filesize
14.1MB

MD5
c7719270d0e6cf4e65ec4c827acece06

SHA1
4a4a357051adb5d60813bc79bc61c250262ff841

SHA256
964b89a4d7a7d4c081c3aedf7befc05626c8eb0715f2177465e9623ba3d2242a

SHA512
90b20103ed92a3b2ee3de4ada3a7022e8acda50e9797e8cf6f0525eb272e48c27d42fa96a39fc2928f1f49735f44989beb81e836a2b9a2da0adaa37b2cfed675

Download Submit