a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

e35e058dd2119eb0f0e852f8738fbab5
SHA1

b7f9388398a9643eddb97a6c2ebaf28b6189c9a8
SHA256

17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556
SHA512

d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c
SSDEEP

49152:rc4u49CbNSFXVJUtSH9zaTRpSWa6zjQWLtm5YXld:rz4GFJUtYf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1908	$_3_.exe
1908	$_3_.exe
1908	$_3_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2136	1908	$_3_.exe	30
PID 1908 wrote to memory of 2136	1908	$_3_.exe	30
PID 1908 wrote to memory of 2136	1908	$_3_.exe	30
PID 1908 wrote to memory of 2136	1908	$_3_.exe	30

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10273.bat" "C:\Users\Admin\AppData\Local\Temp\5CF39B0703AD4A1BAAA3505DE0462BDA\""
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$I1VK44Q

Filesize
544B

MD5
64d9b2e67d9402c093e145a1bce4b918

SHA1
8b15b0d4457b670a113e74c3b077714fea2f2f37

SHA256
33a143fc4d4b300ec30ce62d4845e70802ec4719e3b99baaa9d5c57bd39ec55b

SHA512
686004e6d3571bf9dee81029e40da19c08387763a17c5a51a4148daebc5467f501f951075d43f3f7cd41748ca0e7d4f71485119fb216604ae8c2079ac3d12a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\10273.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CF39B0703AD4A1BAAA3505DE0462BDA\5CF39B0703AD4A1BAAA3505DE0462BDA_LogFile.txt

Filesize
5KB

MD5
95d746559b528b7d6ec4b69103b53e50

SHA1
206f98d0e60468bc70d30d8689d24a5d9cce9f63

SHA256
e1567fbb2f91405f9b564b56eb6c7ecd39b7d3d4553172827e566afe34b2ee3e

SHA512
8e1c2f6b3a137acb533a81938aa01b07ba7b2d71bf673cffa5bd05ea48e073a95f5fbc29f1d4977d4532ee6e2e84613a397224ad11e33a179d67c1e51fe72744

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CF39B0703AD4A1BAAA3505DE0462BDA\5CF39B~1.TXT

Filesize
108KB

MD5
cf8d403ca3e13a5291c8e965a6d7b907

SHA1
a3825dd594eb636a02775a9938822bdf9fb3635f

SHA256
a50dd713370e8fe63d20c28984bac6b9c19ee994607b40b5cfd45d48fd2187b5

SHA512
b5fedfa210a65a23b10834ea7c67d290bf993859b29ebddd3fa9c1e3c1db95c348da6c6f7551eaedd9f61c0eece644769d987a584a1a94e9883ffadaa69d65d1

Download Submit
memory/1908-67-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1908-196-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download