0e89794017eae0fca6feb7750c28a4a962b9e23f9566b8479eb2b7369780f1fb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 18:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1064	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2416	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2416	$_3_.exe
2416	$_3_.exe
2416	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1952	2416	$_3_.exe	30
PID 2416 wrote to memory of 1952	2416	$_3_.exe	30
PID 2416 wrote to memory of 1952	2416	$_3_.exe	30
PID 2416 wrote to memory of 1952	2416	$_3_.exe	30
PID 1952 wrote to memory of 1064	1952	cmd.exe	32
PID 1952 wrote to memory of 1064	1952	cmd.exe	32
PID 1952 wrote to memory of 1064	1952	cmd.exe	32
PID 1952 wrote to memory of 1064	1952	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5259.bat" "C:\Users\Admin\AppData\Local\Temp\04DA617134CA40AC98248C3A2EA1501F\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\$I3S0ABB

Filesize
544B

MD5
0643a0c154778e692168821cc4d5c0c3

SHA1
4e7d1db28b31d6ba3d954f894f9436c1842fc03a

SHA256
8863d0f3a04225430d74d5b23cc750f840ee533db276bd42b3590105ffc208d5

SHA512
f4e114b158471004e2112f93c47eb339206b2492fe5268c78c329e9b9288827d61b717e173e9172dcbb184ff970893dab576bc984f9487cc69a333d3e1e9fb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\04DA617134CA40AC98248C3A2EA1501F\04DA617134CA40AC98248C3A2EA1501F_LogFile.txt

Filesize
9KB

MD5
56999fcd3de3d12232807f3b4287eccd

SHA1
836438950bd4f72701d8fa9e83fd78758868a376

SHA256
b26bdbe84c5b016d2ecd3956a8573f2d32750298455f7a2a8e58665e25bc0519

SHA512
7cdbde819072fca03fb5c5e98f5ba2e9f03d3bec88410aef3570f39fc91bc33a0cefa964c8ca3d4e99e7f235d92290fc4b169512bcae2a764b05cd8d575cb840

Download Submit
C:\Users\Admin\AppData\Local\Temp\04DA617134CA40AC98248C3A2EA1501F\04DA61~1.TXT

Filesize
109KB

MD5
5fe151a5b1264e82becfbb05830eacd1

SHA1
a1c79df96bf9f91134b6043f786ed95474f941bd

SHA256
c3979c1995bcf88b6e793e6d563d6c0a802fab34f912a5f2ed4f08b0e973379c

SHA512
ff0e10c93a8a829a79a351d7852ff59bb0f99f83bd11ea3fa7c1d8989e1f9f78b0da0111f5be4f8a50b8a44d845d10237a8c1140def19f9f959a246ba2470f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5259.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/2416-63-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2416-197-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download