ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 04:15

Target

ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
Size

208KB
MD5

5289faf8c558a1cd47cac3e3c0801143
SHA1

37425bfba722ef28db1a131754f817679c6e73c5
SHA256

ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9
SHA512

d06369e4ee21cbf1aa753b5f247ad14c631f85fe496064de5870f5252cfef6271f978a8097ac481f28d44fdbfe1cd9a48d405f2d414790e335479ef957284a99
SSDEEP

3072:nMjRdL9m26LhONS893+UMrHHcK6TPMs9szrMrVGWmaG9H4NLthEjQT6:nMjRB9m26LhX7UgHH7sRKUVGeEHQEj

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2608	TXPZP.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\TXPZP.exe	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
File opened for modification	C:\windows\TXPZP.exe	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
File created	C:\windows\TXPZP.exe.bat	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
2608	TXPZP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe
2608	TXPZP.exe
2608	TXPZP.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2508	2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe	28
PID 2220 wrote to memory of 2508	2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe	28
PID 2220 wrote to memory of 2508	2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe	28
PID 2220 wrote to memory of 2508	2220	ee2736143a5802e7f243ca40abfc2fa5aff063d62956aeebd617300e6e98fcd9.exe	28
PID 2508 wrote to memory of 2608	2508	cmd.exe	30
PID 2508 wrote to memory of 2608	2508	cmd.exe	30
PID 2508 wrote to memory of 2608	2508	cmd.exe	30
PID 2508 wrote to memory of 2608	2508	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\TXPZP.exe.bat

Filesize
56B

MD5
015ed8e293a3b8fe774520bbaeaeeca1

SHA1
1b8d1f29a2cd2bf53d10dd5160424b02b57ef54f

SHA256
ec8edaaf077898b6135522da9943cda7f46478a7e18785196cc834bc1e7d2b7f

SHA512
95cd67bc7ead6d6682de09e32f14095d5eba6c1440189babf1ef1ccfe13b20ca46e49afa52b66fdf9153955cf81c66da2150df8403796251203a9efe8802b820

Download Submit
C:\windows\TXPZP.exe

Filesize
208KB

MD5
3b4a2fa212e3f405edc8c9da38e3792b

SHA1
568ff6ad16b2dfa6bce97a1c0bc75b6410f0a003

SHA256
36eb35a3543ce1789ba681bcc1d33c384f5b5d9a39c1e338bcd1914db09673e3

SHA512
14904441e268d6d19cbdce2a8b6d91ef023d69e1e20bc9ab378d159a7bb71a61857f5ef09f3078d12566e5b7394aceb9bfb0212e962bcb4e4d54a36a24f73aa4

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2508-16-0x0000000000760000-0x0000000000798000-memory.dmp

Filesize
224KB

Download
memory/2508-15-0x0000000000760000-0x0000000000798000-memory.dmp

Filesize
224KB

Download
memory/2608-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2608-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download