f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe
Size

3.5MB
MD5

82d7a8e1c7ccc06bc9b9f02aadab7e46
SHA1

90381e6567736e6f6924ca3b49c4cffce5dd22dd
SHA256

f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f
SHA512

4f3b5d515aab69919eb38c7e6f0adf7d04e9074a839db2dbcb089fe9608a0e89893891abd5acdf6a37aeb36068518d94d1b4606322157b143d426a5fa84a7c94
SSDEEP

49152:4iCrJIy7Nd4x6aeJ3UKGuaimbQGB937qyNFIlJmXywwb3MLFLKT8cgxPdkxj2DYw:4iTy7N+RemZixI932yH3QbgxWMYAZh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp
3000	card_code_check.exe

Loads dropped DLL 3 IoCs

pid	Process
2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe
2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp
2584	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2524 wrote to memory of 2968	2524	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe	28
PID 2968 wrote to memory of 3000	2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp	29
PID 2968 wrote to memory of 3000	2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp	29
PID 2968 wrote to memory of 3000	2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp	29
PID 2968 wrote to memory of 3000	2968	f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp	29

C:\Users\Admin\AppData\Local\Temp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe
"C:\Users\Admin\AppData\Local\Temp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\is-CUMJE.tmp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CUMJE.tmp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp" /SL5="$4010A,2801720,762880,C:\Users\Admin\AppData\Local\Temp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\is-SGFJC.tmp\card_code_check.exe
    "C:\Users\Admin\AppData\Local\Temp\is-SGFJC.tmp\card_code_check.exe" 0 0 0 3000 DLC8PLJZUFQNYGMM
    3⤵
    - Executes dropped EXE
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-CUMJE.tmp\f38dfbe31ae4e92a5004b79559385e11e4b9a8276bd08e314de901d7ab138e8f.tmp

Filesize
3.0MB

MD5
4151fa3b2b59a6496ec6e0e75486c996

SHA1
c113e1681f440866c234562bb293ae8ab4849e33

SHA256
cdb7960f466cd9309fe84fff48fdab85759b0700f81f3dcfd46cb3c5d87ce1ef

SHA512
86ae2c1cf00bb317848356bcc8abcabb9c17ad0f11b7916bb8a04072c3ec9079b85ea3a69549abe0a4d1ad5e3c4c2123b052b1b82e8a38173716f1044f122e94

Download Submit
\Users\Admin\AppData\Local\Temp\is-SGFJC.tmp\card_code_check.exe

Filesize
2.3MB

MD5
629efc3d76f7f57bcbab0e9208531b04

SHA1
c5b57110ea4fe6080e994bbb0312b49d97d57393

SHA256
d6ff9c2c14053edc88708f562e2414806979c8ac7f2425699448fc9b7ce86ff3

SHA512
a0eb1f0d430b76eb38a3c440f005f1ee39b9bf0f63d3a9e96c82ff3a34d2d321fd6cb32b625287a52665b6acae6a1b6b951ce87b9543de74314c9cbbc8996dfc

Download Submit
memory/2524-2-0x0000000000401000-0x00000000004A8000-memory.dmp

Filesize
668KB

Download
memory/2524-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2524-21-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2968-9-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2968-19-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download