acab4187096ea2c31bed06f017a6c7d93f03291c46becc29efbe44e0b9b7a8fe

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

77bfacca17ee1d89833b57f3a746d9a0
SHA1

aa9490c913489c5eafd02f67f875efcb56d23036
SHA256

38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512

21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
SSDEEP

49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1868 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

$_3_.exe

pid process

2416 $_3_.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

$_3_.exe

pid process

2416 $_3_.exe
2416 $_3_.exe
2416 $_3_.exe

pid	process
1868	PING.EXE

pid	process
2416	$_3_.exe

pid	process
2416	$_3_.exe
2416	$_3_.exe
2416	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

$_3_.execmd.exe

description	pid	process	target process
PID 2416 wrote to memory of 2032	2416	$_3_.exe	cmd.exe
PID 2416 wrote to memory of 2032	2416	$_3_.exe	cmd.exe
PID 2416 wrote to memory of 2032	2416	$_3_.exe	cmd.exe
PID 2416 wrote to memory of 2032	2416	$_3_.exe	cmd.exe
PID 2032 wrote to memory of 1868	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1868	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1868	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1868	2032	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\12374.bat" "C:\Users\Admin\AppData\Local\Temp\B9EFC3823D7A40EE92064E1003E6AB80\""
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12374.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9EFC3823D7A40EE92064E1003E6AB80\B9EFC3823D7A40EE92064E1003E6AB80_LogFile.txt

Filesize
9KB

MD5
5c664e2079db7dad6a895bd7ef2b3d6d

SHA1
b6c2f6c6f628b3a4356bf0789dab4205aa5f44e9

SHA256
59a3a10ce792d52a3e6880f04344d687fbfd971c8b74d0b3f600e3f5b68b308b

SHA512
448f4878e2718f232a00bb76ed4992e1fcd3d073f4797cee56046aa69e61113ce27ecc3bfe4bfe55172a8a564fe987e9e09c84242993112d50484ef05a14aa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9EFC3823D7A40EE92064E1003E6AB80\B9EFC3~1.TXT

Filesize
107KB

MD5
957ec2194cf7a0c11564e4c23d005952

SHA1
96328f3f8cef2346dc30869b7c09ed98ccd27e65

SHA256
faf26b296fcd9d9d96a303c29dfd4955e232b627758b9054d46c9d867114e434

SHA512
045bf4fff329769610aea88fdf72763c3f4d665dac39be69028dee5c1bb6a70b91940a0f418ebdd91672699986bb9f72362aae28ec8f230514b3c5afc15dd7ed

Download Submit
memory/2416-65-0x0000000000270000-0x000000000044E000-memory.dmp

Filesize
1.9MB

Download
memory/2416-178-0x0000000000270000-0x000000000044E000-memory.dmp

Filesize
1.9MB

Download
memory/2416-256-0x0000000000270000-0x000000000044E000-memory.dmp

Filesize
1.9MB

Download