4febbac0ce67c54fea3cf09f5ff2db8ff62d0019aa6e7bb27e63267c8642a697

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 10:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

77bfacca17ee1d89833b57f3a746d9a0
SHA1

aa9490c913489c5eafd02f67f875efcb56d23036
SHA256

38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512

21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
SSDEEP

49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2172	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2348	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	$_3_.exe
2348	$_3_.exe
2348	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 648	2348	$_3_.exe	30
PID 2348 wrote to memory of 648	2348	$_3_.exe	30
PID 2348 wrote to memory of 648	2348	$_3_.exe	30
PID 2348 wrote to memory of 648	2348	$_3_.exe	30
PID 648 wrote to memory of 2172	648	cmd.exe	32
PID 648 wrote to memory of 2172	648	cmd.exe	32
PID 648 wrote to memory of 2172	648	cmd.exe	32
PID 648 wrote to memory of 2172	648	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\16883.bat" "C:\Users\Admin\AppData\Local\Temp\AEC23F202BC94129866BB4E5E5E48F09\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16883.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEC23F202BC94129866BB4E5E5E48F09\AEC23F202BC94129866BB4E5E5E48F09_LogFile.txt

Filesize
5KB

MD5
ee85438d91cc755f358e72cad7ea0fef

SHA1
89ebb5a8e35fefff9d1fdd8548b9e84881374159

SHA256
1765f0b8c06dc55f9ee11a8e10f20a85e9fb83fa50f699bf1d1c87dd9d403677

SHA512
89f657ecdaa70d198b0d47bc8eeafb51d3e867917558f0924599ab3267c77376462998d0d4c688cd4e10ede49a739e0d92b07cf6c54fadbd250c3337845d2aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEC23F202BC94129866BB4E5E5E48F09\AEC23F202BC94129866BB4E5E5E48F09_LogFile.txt

Filesize
2KB

MD5
1bf5525f1b748bd473b5e21c4bc63080

SHA1
a387b78faf0193b010a6b38a92abbecec1632493

SHA256
43de086999549d7c08c635c9ab989458be47ad6f1545d77dcc59cff5cd974663

SHA512
23cab34b8d5b07701810eb2f15b7654b7c810d8713db698a4392ef2a2cd9804900a0136ca8b50a421a492c3660b7dfde9848bacf8b89f1dea3f27334303f2428

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEC23F202BC94129866BB4E5E5E48F09\AEC23F~1.TXT

Filesize
110KB

MD5
b7e099fe41ee24cbee219e03043481f8

SHA1
c3e9ebe0f51473521bc9b7c0a58dae30a36c8c4e

SHA256
7ebfaaff756fd1d26eed70fd34ce916538aef32f2c59307d9df05400e52e4377

SHA512
ed5455761cdbc20bea0b887ffe002a4f11d3efec1f972763afe753b1e1626705d7befff8079bab8817343948f726e65a1c17de8a45b257b3d0f5384859fabae3

Download Submit
memory/2348-61-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2348-182-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download