a5ade73cacf80906a0e898f86bc261f2ff580d34c472ce7914ea987aab5c819d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

$_3_.exe

pid process

2824 $_3_.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

$_3_.exe

pid process

2824 $_3_.exe
2824 $_3_.exe
2824 $_3_.exe

pid	process
2824	$_3_.exe

pid	process
2824	$_3_.exe
2824	$_3_.exe
2824	$_3_.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

$_3_.exe

description	pid	process	target process
PID 2824 wrote to memory of 2492	2824	$_3_.exe	cmd.exe
PID 2824 wrote to memory of 2492	2824	$_3_.exe	cmd.exe
PID 2824 wrote to memory of 2492	2824	$_3_.exe	cmd.exe
PID 2824 wrote to memory of 2492	2824	$_3_.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2197.bat" "C:\Users\Admin\AppData\Local\Temp\D7CA1222F34A41F08E49C04316A0F530\""
2⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\$I4XVR3A

Filesize
544B

MD5
16e9396bbb33b9b0dab90dfdc4472a9a

SHA1
502f60418928138cb35e31cfe1b6c4efec1d3b01

SHA256
237f835c63ed6f2d889b65a4a39ae88c9e5875b902c77933869ebe7ecd991ed3

SHA512
a0ed052e9cfd0f046e2c386aee02d2f7edf7b925b4efe78ac448ad3ba0d24b70eac064b8d2e6f106472ab2324d43783c6945b439e03d23fe1dd5173c3cbe570a

Download Submit
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\$IE8AO0K

Filesize
544B

MD5
023f95f7e2ea16055422fcedf61c1d0d

SHA1
b14af622ad85d7024fdc99ad9915ee55eee60b32

SHA256
aad5ed2dd419bf739f016435036a660c54482dabc35d42e49dbb9d5bc6ee8ff3

SHA512
305e40c17cde3c5edcc674cc8a5cf1e045d966a173218732a6a9d190e763f5dadce9461c3f5fc443d75811374e574266d6d10f6264456e74d5af60ce129e575c

Download Submit
C:\Program Files (x86)\tempo_5626

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2197.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7CA1222F34A41F08E49C04316A0F530\D7CA1222F34A41F08E49C04316A0F530_LogFile.txt

Filesize
5KB

MD5
c6e4948eb5f93a78d229b766f2078d37

SHA1
dcb1d390da08133ace7ffa15f20fcc9503c2ffe7

SHA256
6641cbd3ab860f66af769b44cba5aaff6efe620118f72abeac1994639af4def5

SHA512
7855f2e0ab68997de41400e9cf6b10573c7b9087259402270ca5979c526d9b9d01d429580c3b2a627859fa9197826797389d958ed5f24e649e7417769dc943e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7CA1222F34A41F08E49C04316A0F530\D7CA1222F34A41F08E49C04316A0F530_LogFile.txt

Filesize
3KB

MD5
d63ca18612db1816c334159cb6e1909a

SHA1
43ce8dfd714393749008fdcb8dc51f3ceb65ca57

SHA256
2ac8515b485318b44293d64aa10a161ffd06790ca94b99906adc7c446564baeb

SHA512
d77fa9268288bcef5d74173e8160b360159be708b3f26db9f844d8e174317a53db8ff91c99d20aaae622d01bc363003ecebbf3d44f8e926f1d4e610b548fcad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7CA1222F34A41F08E49C04316A0F530\D7CA12~1.TXT

Filesize
108KB

MD5
43e26cedec6c04f0aa91229ccd9d8798

SHA1
0e7f0841080c04298c66f7c47c9f58423bdc6479

SHA256
229f5ae025c0a4e2d4b7d28efec4ee5993c3039d02b79a2a8436ce53f1682a89

SHA512
45bca8e70dd2b660ff0ef9738b68e0c9ead63e08876b6c74384f8dca3e79d86cf324f267ff56390cedf0f2bfe341863ef29b45da1af8ee841dd038715e97322f

Download Submit
memory/2824-67-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2824-197-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download