3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:43

Target

3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
Size

289KB
MD5

d8d438c89fce6e7114c3e8ec9c12872b
SHA1

7ef91106136756d91b9f74ff8ad04379bdb31842
SHA256

3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496
SHA512

6d152c2dc6c79543f21331a4916f754c9ea7c0c5cda70102736bac5386b6674d4522e7d320c36fa6abc49e8626432e268bc17eab34f508d297ae20e88448176d
SSDEEP

6144:80W6tQl9eaRjb9kdhqZSqCqtsgdKaxkECzJLaQVbU5:80WYQLeaReDqN/KaxklJLJbU5

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2432	SBDFOO.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	cmd.exe
2012	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\SBDFOO.exe	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
File opened for modification	C:\windows\system\SBDFOO.exe	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
File created	C:\windows\system\SBDFOO.exe.bat	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
2432	SBDFOO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
2432	SBDFOO.exe
2432	SBDFOO.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2012	2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	28
PID 2072 wrote to memory of 2012	2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	28
PID 2072 wrote to memory of 2012	2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	28
PID 2072 wrote to memory of 2012	2072	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	28
PID 2012 wrote to memory of 2432	2012	cmd.exe	30
PID 2012 wrote to memory of 2432	2012	cmd.exe	30
PID 2012 wrote to memory of 2432	2012	cmd.exe	30
PID 2012 wrote to memory of 2432	2012	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\system\SBDFOO.exe.bat

Filesize
72B

MD5
1b9b6ef58a611560d7b0ef2c9ac6b88d

SHA1
36fb2cc8eb4817a02c14a6225fc825b6f4ff1fee

SHA256
8e7706505d9f1604b4605c607741d92df7332ee95fe7fe74805cdc2ba751b28e

SHA512
303c2efde22a3ebcdbc728f2663b7c3b5a4d58c025610de021337307c97180c46067e98926dffb8c6365d5fcbb95a42522ba37476db7172237f54e70946f7645

Download Submit
C:\windows\system\SBDFOO.exe

Filesize
289KB

MD5
c816a93ed3645476f3ba0bd10aa1b567

SHA1
5b49c0a3a3e82ccde3f197ba448e1c3a2efec988

SHA256
2a98d8e5b6a51ae48facbd4fd06f600b6b14bea8927bfa206d261724bd7d7a7b

SHA512
9d93ebdfa4738ee81d276871704fbe9fb2faed33217a8410afc27755cf0e4c5def5994f97c7383e6877966357658ff0e766c84d0e7fc2899242412810ff8117c

Download Submit
memory/2012-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download