b5f524fb3ed8f651f1ef5549af543a4a6944dd12074ad91298ea8361769656ce

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2068	$_3_.exe
2068	$_3_.exe
2068	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 860	2068	$_3_.exe	30
PID 2068 wrote to memory of 860	2068	$_3_.exe	30
PID 2068 wrote to memory of 860	2068	$_3_.exe	30
PID 2068 wrote to memory of 860	2068	$_3_.exe	30
PID 860 wrote to memory of 1632	860	cmd.exe	32
PID 860 wrote to memory of 1632	860	cmd.exe	32
PID 860 wrote to memory of 1632	860	cmd.exe	32
PID 860 wrote to memory of 1632	860	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3541.bat" "C:\Users\Admin\AppData\Local\Temp\8EC2ABA1ED424AB992F2F27863351C28\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\$I843GJO

Filesize
544B

MD5
2a1fd0a8b745389483bf0cef6dae147e

SHA1
3282d34709d5c60a7f3d733c6a5c019dcafaba57

SHA256
323c4f174e9f9028ca6941c73e441aab346d9599cf4d1f0073b196b801f350d1

SHA512
776edf1810a7aed60c6e7c80608364fe05c450c5b90e3b3b5dca2af345c7bc5a14d44cb14125b1c16d8a7035377dce5be7efc278c101d75cf0200638d9e9ec7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3541.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EC2ABA1ED424AB992F2F27863351C28\8EC2ABA1ED424AB992F2F27863351C28_LogFile.txt

Filesize
9KB

MD5
95f6b14c8f779f25b3ba04bcf85679cd

SHA1
071412398b589f4148cf832832e822fdce4f4f03

SHA256
56e1037687ab7cbd81625581985298e9c71fa5509e2003399303b1c66924422f

SHA512
c7d553cb7d90cf191b8f5458cc3909a7ed142407627049f76ac9c2a8330a7ebcba3d57e2d4c20591d6db33dfbb292ac0b30cb979b850ee18fc694b3a8ee22286

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EC2ABA1ED424AB992F2F27863351C28\8EC2AB~1.TXT

Filesize
109KB

MD5
f695221d7a94f812be82c8e0a3fc730c

SHA1
60feed1bfe7c48a78d1d4ce6d157c0f356c6f460

SHA256
fe6a7ca7faa142ba0bce1e39f92992542e65c062bdd67855df340c2b40e8b9ef

SHA512
56e18533be97b8ec4744390068a47215fc8a7118ffe6cf42b004d043491e3917d922f630eed897c074830c27ffbccf939e056c4bc40dfad9b4cde7fb4ebef0bb

Download Submit
memory/2068-64-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2068-197-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download