6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
Size

496KB
MD5

8101a283a744c7937666a0263489a781
SHA1

481aaf3316caa58e198183948332bb844b28660f
SHA256

6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a
SHA512

8bd7f80f6f1d2cea386fefff122d01b2f6125bcc426bedf8a5a314fba51f0a4267e70e5be360db6fabdd01e439ac01f490597e64cccad8433ff3fe0fba735cdb
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiXObU:vDVBADt1ZKlX34U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	EXE197A.tmp

Loads dropped DLL 2 IoCs

pid	Process
2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	EXE197A.tmp
2152	EXE197A.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2152	2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe	29
PID 2180 wrote to memory of 2152	2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe	29
PID 2180 wrote to memory of 2152	2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe	29
PID 2180 wrote to memory of 2152	2180	6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe	29
PID 2152 wrote to memory of 2936	2152	EXE197A.tmp	30
PID 2152 wrote to memory of 2936	2152	EXE197A.tmp	30
PID 2152 wrote to memory of 2936	2152	EXE197A.tmp	30
PID 2152 wrote to memory of 2936	2152	EXE197A.tmp	30

C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
"C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\EXE197A.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE197A.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM197B.tmp" "C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFM197B.tmp

Filesize
48KB

MD5
511d84514d1c54647c173a3e4dfb2b69

SHA1
98a8744f8950ff485669a7f6ce1ef0fa3e0b2d82

SHA256
9e02cc7e7d435d5a66e99ef4277247a7c7bae27ebb2b5ccbc79581544c46f12e

SHA512
59235b1227f53a791ce745f1b11ba584a89ea44bd027610a8cc2c4f34db27cb4264b51ce4f677c8d860b5932ba26d20fb7c7acffce2f8b10fcce89c397ee74fd

Download Submit
\Users\Admin\AppData\Local\Temp\EXE197A.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit