a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe
Size

5.4MB
MD5

f5447a6dfc5fdcf7de9d0e46b6aa6ca2
SHA1

9d68a4c28a93d577d1017db27749273c41de3d8a
SHA256

a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e
SHA512

15fed8df5f23c029e184e1c35c2043282ec27b624d1ad4cb8e3d62147616d9cd1863fab1dc29fa1c2c3f303da9c8cf1fafce3cf5af2c275884012ea9a23dcaf6
SSDEEP

98304:QiTy7MbNyTOgXDGXbCewi5bflQnJcOTLG+CpxJmrXVOd4sLWdJt7R95wqdqS9I1k:QBI8DGX1bd+aOvG3pmrXGMt7RndqS92k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2624	install_tool.exe
2536	install_tool.exe
2696	install_tool.exe
2584	card_code_check.exe

Loads dropped DLL 9 IoCs

pid	Process
2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe
2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2724	Process not Found
2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2052	Process not Found
2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2440	Process not Found
2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2468	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	install_tool.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2092 wrote to memory of 2504	2092	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	28
PID 2504 wrote to memory of 2624	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	29
PID 2504 wrote to memory of 2624	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	29
PID 2504 wrote to memory of 2624	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	29
PID 2504 wrote to memory of 2624	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	29
PID 2504 wrote to memory of 2536	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	31
PID 2504 wrote to memory of 2536	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	31
PID 2504 wrote to memory of 2536	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	31
PID 2504 wrote to memory of 2536	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	31
PID 2536 wrote to memory of 2884	2536	install_tool.exe	33
PID 2536 wrote to memory of 2884	2536	install_tool.exe	33
PID 2536 wrote to memory of 2884	2536	install_tool.exe	33
PID 2884 wrote to memory of 2572	2884	cmd.exe	34
PID 2884 wrote to memory of 2572	2884	cmd.exe	34
PID 2884 wrote to memory of 2572	2884	cmd.exe	34
PID 2572 wrote to memory of 2608	2572	net.exe	35
PID 2572 wrote to memory of 2608	2572	net.exe	35
PID 2572 wrote to memory of 2608	2572	net.exe	35
PID 2504 wrote to memory of 2696	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	36
PID 2504 wrote to memory of 2696	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	36
PID 2504 wrote to memory of 2696	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	36
PID 2504 wrote to memory of 2696	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	36
PID 2504 wrote to memory of 2584	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	38
PID 2504 wrote to memory of 2584	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	38
PID 2504 wrote to memory of 2584	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	38
PID 2504 wrote to memory of 2584	2504	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	38

C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe
"C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\is-UK1L6.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UK1L6.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp" /SL5="$70122,4824881,797696,C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe" 2 Steam\Steam.lnk C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\findpath.txt
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe" 4 steam_host
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop steam_host
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\system32\net.exe
        
        net stop steam_host
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop steam_host
        6⤵
        
        PID:2608
- - C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe" 3 WindowsUpdateBlocker.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\card_code_check.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\card_code_check.exe" 0 0 0 3000 ZXCVQGGJJZUWHKDQ
    3⤵
    - Executes dropped EXE
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\card_code_check.exe

Filesize
103KB

MD5
e599549b26145a23da8288b5dcb15723

SHA1
919858d333c51d4b3fc74c21457b0598793ed4db

SHA256
d2189ed466e0f6bd4c612694b7c56f19323f0a48c931ac5321335006c9dd5780

SHA512
dfb46c256c91443416a4436d04adbf89966ee7556345e85afbd41d69270dfa0cf6d7c6f79867e1847da977b68844060664293bf655b8c1d744f14067df802fce

Download Submit
\Users\Admin\AppData\Local\Temp\is-6M38E.tmp\install_tool.exe

Filesize
138KB

MD5
009e852552e1d71fd3547afd2d34ceb0

SHA1
db252b1eac7e356972689c555ea51416be10b4ff

SHA256
7ab988c5636873d60ba082bbcbabcdd10a4399578f7328e16f4966a658f193ac

SHA512
aa509d6fd12a01a44e98aaa9fd77608b4c720bd9347104b4a19d0ee9e04da42da3b6994b84332f18798735dc0ccd48d5a350caf05fe5be4e5af0a06590059b7a

Download Submit
\Users\Admin\AppData\Local\Temp\is-UK1L6.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp

Filesize
3.0MB

MD5
45dc976bf2b5db845f3a6c12f8aecd9d

SHA1
de467a57299197e07a07bf4c3921be3021bc0f35

SHA256
95901ea941b1e3ea67f371ccf39f9fbdf6268886babb63717a77a528f846d4b1

SHA512
03a233a14f434ce340b92347e8ebe6628dcb9ab495076f6879253fa1cb15bbf64aed3cab73457ad5238c7e22d87649dddbeeb748051fab4c09760d52b49fcf6b

Download Submit
memory/2092-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2092-2-0x0000000000401000-0x00000000004A8000-memory.dmp

Filesize
668KB

Download
memory/2092-38-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2504-8-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2504-36-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download