Analysis

  • max time kernel
    134s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 22:13

General

  • Target

    $1/$OUTDIR/sftp_plugin/tc_sftp_uninstaller.exe

  • Size

    59KB

  • MD5

    9b3cb9b83d28f0f3a952624c42b8ec21

  • SHA1

    4c272558d822dd89d2a1c36e13c0c8810284cc8d

  • SHA256

    6b81d009f34b7adfa13bbed70e8083af398d9dac12d4fbb3136c516113234da6

  • SHA512

    0ff059c4ab61172259a4a3c290d56dd4be063866b4c8ef74371c4999e00a76aee44eb22f3345932cc0ccef3bbec565994b99b47292c1a696e6518288e70d1f26

  • SSDEEP

    768:j9qjtOoh/pZbvc+HX+fFXSJA/mIj6qkzry8F9zGPVzISJRnHzioSe4bU/iXAB8+6:j0joUxZbE+HOI66qkryz9zIMipG+W8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\
      2⤵
      • Executes dropped EXE
      PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    59KB

    MD5

    9b3cb9b83d28f0f3a952624c42b8ec21

    SHA1

    4c272558d822dd89d2a1c36e13c0c8810284cc8d

    SHA256

    6b81d009f34b7adfa13bbed70e8083af398d9dac12d4fbb3136c516113234da6

    SHA512

    0ff059c4ab61172259a4a3c290d56dd4be063866b4c8ef74371c4999e00a76aee44eb22f3345932cc0ccef3bbec565994b99b47292c1a696e6518288e70d1f26