cf0e81a64f83177928800fb796b42b6ba0cc184664849b5583c38ee3052c842b

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

e35e058dd2119eb0f0e852f8738fbab5
SHA1

b7f9388398a9643eddb97a6c2ebaf28b6189c9a8
SHA256

17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556
SHA512

d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c
SSDEEP

49152:rc4u49CbNSFXVJUtSH9zaTRpSWa6zjQWLtm5YXld:rz4GFJUtYf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2492	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2172	$_3_.exe
2172	$_3_.exe
2172	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2100	2172	$_3_.exe	32
PID 2172 wrote to memory of 2100	2172	$_3_.exe	32
PID 2172 wrote to memory of 2100	2172	$_3_.exe	32
PID 2172 wrote to memory of 2100	2172	$_3_.exe	32
PID 2100 wrote to memory of 2492	2100	cmd.exe	34
PID 2100 wrote to memory of 2492	2100	cmd.exe	34
PID 2100 wrote to memory of 2492	2100	cmd.exe	34
PID 2100 wrote to memory of 2492	2100	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\29793.bat" "C:\Users\Admin\AppData\Local\Temp\75A72B49EB684637A1F4DFEAD730ECF7\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$I0U1R9Z

Filesize
544B

MD5
a71a62d05c91b890c99fa1faa186f70a

SHA1
3d43cb8fda6fbe69f8ab5ca9e9fdccc4321d7264

SHA256
cb90b91d8b7f37f5fcda188bca0ea2188a97e80da7d13a75ab94723ad83ee26e

SHA512
118260aa610e92da9ffee464e9a8f3e09be03e251821149b4f6624f6e1045ecc9f2bb8e732dbf14ce8683029a60d03283adbd83da5b2d3414246545cea2238eb

Download Submit
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$I1JQA3U

Filesize
544B

MD5
0f87331c3c24149087bb0ec676a5d3f4

SHA1
821d01f6f0475376b325e88bae09a40400ed005d

SHA256
ad3efff0b946dd00c5355fda38c323190b6c2d140d18d22a4366753ffa985313

SHA512
cfcc2a59d84e8d4e17daa46200bb78a0cc3fcced29b7e7f6c13f13e6f8baf22f4f6d2e5e0b5c26f5f70f3ae44ebac68808a9286c06157130cc10084868628676

Download Submit
C:\Users\Admin\AppData\Local\Temp\29793.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\75A72B49EB684637A1F4DFEAD730ECF7\75A72B49EB684637A1F4DFEAD730ECF7_LogFile.txt

Filesize
9KB

MD5
23214cdc0e510b416c9b3ad421ee1614

SHA1
637e3b306890744ff9eb52a3fd5c8176b0d6ac39

SHA256
896d74ccd851e7705e6be792c9aff1437fa336bd51819b6fbbd5783d3c666b9a

SHA512
7bb3f4b41bd7136914b9cfa555c1c98feb6e3f9f53be3df0473233cbeb1326968fc8e14618b2470a6a65c0cdadc3635f6a7e7740a09abb89e0efc2b87c32d3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\75A72B49EB684637A1F4DFEAD730ECF7\75A72B~1.TXT

Filesize
105KB

MD5
40c01c2d6841be10b03c0478c14d0b50

SHA1
9288e551952ad763539b296761f83e73f60bb2b0

SHA256
f868d5a6c401ee20910919a83caffab50d327d73355b1c8963ab5fbe0f46d494

SHA512
8baf112e60621c7a5771d00ce6506f474d4accfb7177034219e6cc56755d465b99db9d4bfc8fc3a32523dcd34e2a1a63c44f599bcd851a026671044a61c2b80a

Download Submit
memory/2172-63-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2172-201-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download