71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
Size

102KB
MD5

dabb84c3d073199e51215fd2275c14e5
SHA1

60d8562ec6da20d7e2fb8453cebbc7df3a985c87
SHA256

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b
SHA512

3f49c7bde724f02bf3d99bbbbecdfa1497e39ab149106ce7f97c2b9e4843ffd38b0e5e0bbbd12a73c5385270405b2137ae57a45ba5a80987d8cbdfb374cad9ae
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4Ou:fq6+ouCpk2mpcWJ0r+QNTBfzz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.execmd.exe

description	pid	process	target process
PID 2916 wrote to memory of 2992	2916	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 2916 wrote to memory of 2992	2916	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 2916 wrote to memory of 2992	2916	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 2916 wrote to memory of 2992	2916	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 2992 wrote to memory of 3000	2992	cmd.exe	iexpress.exe
PID 2992 wrote to memory of 3000	2992	cmd.exe	iexpress.exe
PID 2992 wrote to memory of 3000	2992	cmd.exe	iexpress.exe

C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
"C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\iexpress.exe
iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed
3⤵
PID:3000

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat
Filesize
1KB

MD5
da9a8db30b2193eb306fd377ddc09822

SHA1
2b14a8683d1faca6bd607d0ae398cb95c36ab6f5

SHA256
9a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f

SHA512
2055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.sed
Filesize
102KB

MD5
92d991c86da76ed71e919929729b5924

SHA1
d6fdeeedd89a68d2ba3a4e6f4a4ed523ff0bb991

SHA256
d1d29d97d9726f529131b2e0c27f4ae2efbf4c8e13dff2c9596c00d8c200722e

SHA512
bd1fa3455148c93848f3b7f30bdc80e68719b1083ed31f15dcf12373402bd1d55b92b0779764d5fed0d5bbed68735a876ca604cac21a37c00fb77b7e52d20a9c

Download Submit