9dadc8706de9b0cfb8bd1a30cc5d6d5d853e1e183497b1df760159f19c0fbf17

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2444	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2444	$_3_.exe
2444	$_3_.exe
2444	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1304	2444	$_3_.exe	30
PID 2444 wrote to memory of 1304	2444	$_3_.exe	30
PID 2444 wrote to memory of 1304	2444	$_3_.exe	30
PID 2444 wrote to memory of 1304	2444	$_3_.exe	30
PID 1304 wrote to memory of 2064	1304	cmd.exe	32
PID 1304 wrote to memory of 2064	1304	cmd.exe	32
PID 1304 wrote to memory of 2064	1304	cmd.exe	32
PID 1304 wrote to memory of 2064	1304	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\23510.bat" "C:\Users\Admin\AppData\Local\Temp\E5386705EDBB43EA823B9C63B9E6C14E\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\$ILT8HV1

Filesize
544B

MD5
bbc9cd3a706ab84510acdea2f11b88cf

SHA1
e2f912dc487d75baabdd2e0dd6c2e9a4e36084a3

SHA256
b3393b630885ddb467936835d11aadaf81fcb348caddb4251cca2b896314909c

SHA512
c4b9627c265ad800ae400e37fdcc8a39fac960fd5655720e7aed12a8a7f5cc2df83e5791f6541dd93895895aa0a8c67d6fd4495d16e75b4e459d14fc63852071

Download Submit
C:\Users\Admin\AppData\Local\Temp\23510.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5386705EDBB43EA823B9C63B9E6C14E\E5386705EDBB43EA823B9C63B9E6C14E_LogFile.txt

Filesize
9KB

MD5
44d1fed3111cd892e161b0c4d25939d2

SHA1
6def01fd16f54cccb5f3406d959c501f7b01400e

SHA256
4c7b1ce6a86c0904c0bcf952e32448ac906be41cd51c09dda10c9734db900e4c

SHA512
72aedbb5edff4c3dba0d3377adfc12edf1d0acf7c3dcb76ca8b200a5fc6080dc3bbf5b4301eb9ae575f5bccb85d95dfc9dd87f2e7ffe90af32bff0c63a5a6112

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5386705EDBB43EA823B9C63B9E6C14E\E53867~1.TXT

Filesize
110KB

MD5
3aca3e19b50cee63693e92f2df891e3d

SHA1
a8b33a28178de1cac2f8ceda1babd26fd46b1344

SHA256
c15c410ac4cc8ae783030f792a02ff53fc7fd81f854bb93946fa3fc173c59152

SHA512
b533f097ff31d2526052a0a9b9612011145cc827544564bc77cae39706ea78b7a465a92f9c17a26e04a8c5d344a01da4ffa157bfac605c2242bb0c7442f0b115

Download Submit
memory/2444-67-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2444-197-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download