Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:05
Static task
static1
Behavioral task
behavioral1
Sample
71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
Resource
win10v2004-20240508-en
General
-
Target
71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
-
Size
102KB
-
MD5
dabb84c3d073199e51215fd2275c14e5
-
SHA1
60d8562ec6da20d7e2fb8453cebbc7df3a985c87
-
SHA256
71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b
-
SHA512
3f49c7bde724f02bf3d99bbbbecdfa1497e39ab149106ce7f97c2b9e4843ffd38b0e5e0bbbd12a73c5385270405b2137ae57a45ba5a80987d8cbdfb374cad9ae
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4Ou:fq6+ouCpk2mpcWJ0r+QNTBfzz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.execmd.exedescription pid process target process PID 2916 wrote to memory of 2992 2916 71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe cmd.exe PID 2916 wrote to memory of 2992 2916 71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe cmd.exe PID 2916 wrote to memory of 2992 2916 71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe cmd.exe PID 2916 wrote to memory of 2992 2916 71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe cmd.exe PID 2992 wrote to memory of 3000 2992 cmd.exe iexpress.exe PID 2992 wrote to memory of 3000 2992 cmd.exe iexpress.exe PID 2992 wrote to memory of 3000 2992 cmd.exe iexpress.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\iexpress.exeiexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.batFilesize
1KB
MD5da9a8db30b2193eb306fd377ddc09822
SHA12b14a8683d1faca6bd607d0ae398cb95c36ab6f5
SHA2569a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f
SHA5122055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc
-
C:\Users\Admin\AppData\Local\Temp\hid.sedFilesize
102KB
MD592d991c86da76ed71e919929729b5924
SHA1d6fdeeedd89a68d2ba3a4e6f4a4ed523ff0bb991
SHA256d1d29d97d9726f529131b2e0c27f4ae2efbf4c8e13dff2c9596c00d8c200722e
SHA512bd1fa3455148c93848f3b7f30bdc80e68719b1083ed31f15dcf12373402bd1d55b92b0779764d5fed0d5bbed68735a876ca604cac21a37c00fb77b7e52d20a9c