4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
924	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2840	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2840	$_3_.exe
2840	$_3_.exe
2840	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1672	2840	$_3_.exe	30
PID 2840 wrote to memory of 1672	2840	$_3_.exe	30
PID 2840 wrote to memory of 1672	2840	$_3_.exe	30
PID 2840 wrote to memory of 1672	2840	$_3_.exe	30
PID 1672 wrote to memory of 924	1672	cmd.exe	32
PID 1672 wrote to memory of 924	1672	cmd.exe	32
PID 1672 wrote to memory of 924	1672	cmd.exe	32
PID 1672 wrote to memory of 924	1672	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\32210.bat" "C:\Users\Admin\AppData\Local\Temp\A0ABA5E3828E438E9FC872D3165BC855\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I033524

Filesize
544B

MD5
e93a48e255cc3862e54af824bc15bb0c

SHA1
9b4b5e65d4215ac14d047b8270ff74a62d4afa71

SHA256
c7e1d05e96f38ca68c2f5ea8a81cd8397e568a0c18021f33925df14ae49c8612

SHA512
ac4adbcb8921a1e36946b84dc78c8b04b222e129e470c56e6e1c0c987dcc0ac043ab18d4465a3644da52d115dce2741f6e4c659ea1b18be844743b9477236530

Download Submit
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$IC3JVP5

Filesize
544B

MD5
deb7a1e3b5f80acfe89ec4e8f7e9eacf

SHA1
b900958cbd71b3ab2c3123c105e3fdb194a90f90

SHA256
0fe17092c4e380fe60e02c386796995164820ec44bf19675d6c93770233e1f5c

SHA512
323e56d149b0fd04d55c53d2cc290b158a787cd8787732496588467b0fc903064930014839705e0c49ca5062639346063d7d2bd9081f82c6998aa1ba7d57abcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\32210.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0ABA5E3828E438E9FC872D3165BC855\A0ABA5E3828E438E9FC872D3165BC855_LogFile.txt

Filesize
4KB

MD5
53c45fe7cac565a9748e456a8f5f4251

SHA1
c56b92927c2e24b5c30c462e1297a5cee07cfe17

SHA256
ea894b91be6499951cf2bd04c21d985cbbae53b6c4a6467a184de28b8ff9628e

SHA512
725c7c25432c14faf5dad7c4ff5630a04471e7964f5f7661b01995b4c57304f99b328f6bbc3117d841e6f71544de34b166fd3a2455e26801f4d2e6c69919e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0ABA5E3828E438E9FC872D3165BC855\A0ABA5E3828E438E9FC872D3165BC855_LogFile.txt

Filesize
2KB

MD5
194efa0dbe40a27adadbe7d45e77b1cc

SHA1
a7d3f10c38bbca144fd5a868712361ae775d649f

SHA256
8bc88cf33b8849a7670a54b240766b2f50215742db8eda46a8eaf274c763c1ee

SHA512
ea5ad2a51d71da483b4ddd4bfb35bd8af72e59cbd11c2d5d316e6ad70597af28c9592af3a188deff609ed690fcc91855262fd10040090ec27740288951565f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0ABA5E3828E438E9FC872D3165BC855\A0ABA5~1.TXT

Filesize
26KB

MD5
51c86be7491469c651404a7db5f86659

SHA1
c13aeafd71671e9ef887436f60a212110127eebf

SHA256
2f81f4356392f87bc8d7963a8435dabede1b74bea1e1dc3e96a7698e09337835

SHA512
004081e6795fe9d05f8baab29dcca6e472326b66cc113f82e765bf3d31ab543d83bfb1bb0295d0d23f2d27de14d45c076c8be0d570b5d573f5df86bc9217f27a

Download Submit
memory/2840-67-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2840-179-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download