586c51c188370fb5f57b3a5ecdb308f03b74118f25b9e2d20e9a601e1d2e4958

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2924	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1664	$_3_.exe
1664	$_3_.exe
1664	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 936	1664	$_3_.exe	30
PID 1664 wrote to memory of 936	1664	$_3_.exe	30
PID 1664 wrote to memory of 936	1664	$_3_.exe	30
PID 1664 wrote to memory of 936	1664	$_3_.exe	30
PID 936 wrote to memory of 2924	936	cmd.exe	32
PID 936 wrote to memory of 2924	936	cmd.exe	32
PID 936 wrote to memory of 2924	936	cmd.exe	32
PID 936 wrote to memory of 2924	936	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\24356.bat" "C:\Users\Admin\AppData\Local\Temp\C496AF0D59D242EFAEB1096C7B1E9715\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\$I1DFEL3

Filesize
544B

MD5
d981bd54ec18f0d977923a4c100a0f3b

SHA1
b3ed89c64e503a18eea744d1ba0db7a9d9444b6b

SHA256
f217904325706cd6cc2f15870bef6a9c431db75a94eaf94f6ca8f1e972b0afee

SHA512
1a6ea173418777621806a10c521e48867ff97e99dcfbbe3b536ad9f4c81a6f47f0197aade42258e8ee4153ac42b420e04cbc8a648f0e50cf4bdbdca4354562b3

Download Submit
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\$I7GVEEG

Filesize
544B

MD5
e026ff4d3d77e08db4e3488d3f0ecd66

SHA1
be6827dcd6c8a49e236df86a393b6ae64190c69b

SHA256
88d59537226bcb6ef27749f2b344e4799f374823fd97d771f73d9b3ba02140eb

SHA512
7db3e182f2745ebf0d07eeba7734c130e3579a26ec29a68f65ddebb9bb580647c1759253530aea85f3619ed1f8f1bc6741c97d22a4823b322c65573fa12f2877

Download Submit
C:\Users\Admin\AppData\Local\Temp\24356.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\C496AF0D59D242EFAEB1096C7B1E9715\C496AF0D59D242EFAEB1096C7B1E9715_LogFile.txt

Filesize
2KB

MD5
ce4ec29f1832c600c4e7a7fe92448b05

SHA1
ccc5cc9f778ffb4c4221d917272d749c50a38121

SHA256
e798a515ef4087dc531d68620b2b6676f125e770726a64ee84531bdccfe9c079

SHA512
96d789f31ea59a2ef54d7cfadcbff7eb4f9784417481ed63dd957bcdd76cce805196c45d237f86b28d6bc541bd949c66975338d35289ba6872d81498527ed5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C496AF0D59D242EFAEB1096C7B1E9715\C496AF0D59D242EFAEB1096C7B1E9715_LogFile.txt

Filesize
4KB

MD5
e7d8f3fd3cb60e752c8790d16418daad

SHA1
cf01b461bace7146fd66b10d46e19aae14040bfc

SHA256
7ca5b9097f18552c31f769cbd83bbf8aad54e78200f22aef23979a5720d11a28

SHA512
0cf4d99289166298bbf83b791cd4df01097933364ff319999c808b84d2962082d0fa23f78d4058a99003a1671ed871d5d68483b6372134747f22ba8a7ac191ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\C496AF0D59D242EFAEB1096C7B1E9715\C496AF~1.TXT

Filesize
28KB

MD5
e97ee9d9c1b343e03d2aa26c1d075416

SHA1
902e29f1059ae27ac9ae76267f80e088004fead1

SHA256
f01e954fb09fac777444c9813114e9300be88d421ed77d108557dc35870d4ef3

SHA512
38041098743c864b674bbdbe77d624314701f06ecb5f397243f6fac68ad9f86a2a9db59533133bf5697c0744350814a82e8c0ff5df531274dcd8fd7268fdf9db

Download Submit
memory/1664-67-0x00000000001B0000-0x000000000035F000-memory.dmp

Filesize
1.7MB

Download
memory/1664-201-0x00000000001B0000-0x000000000035F000-memory.dmp

Filesize
1.7MB

Download
memory/1664-286-0x00000000001B0000-0x000000000035F000-memory.dmp

Filesize
1.7MB

Download