826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2056	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1948	$_3_.exe
1948	$_3_.exe
1948	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2904	1948	$_3_.exe	30
PID 1948 wrote to memory of 2904	1948	$_3_.exe	30
PID 1948 wrote to memory of 2904	1948	$_3_.exe	30
PID 1948 wrote to memory of 2904	1948	$_3_.exe	30
PID 2904 wrote to memory of 2056	2904	cmd.exe	32
PID 2904 wrote to memory of 2056	2904	cmd.exe	32
PID 2904 wrote to memory of 2056	2904	cmd.exe	32
PID 2904 wrote to memory of 2056	2904	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10759.bat" "C:\Users\Admin\AppData\Local\Temp\D06C433B9A2146C293B2D9D21D6EB9B0\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\$I4JADWH

Filesize
544B

MD5
8b155c14e73556d2437d4581491d0008

SHA1
7217aaa857a3d4a9058d5139609f1937c066c5e0

SHA256
962d64385f9ed5f5e179e54fa26a3145a40305669221d0b06c72160f82619b05

SHA512
b9b457f3566a54c7978301f2b8746c437c720dde35c7168996a33da9c4ecd685751aec634fb9f8316ef149fa2613ed4bd08e09d37d7e76b9caad4026cb3a32fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10759.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D06C433B9A2146C293B2D9D21D6EB9B0\D06C433B9A2146C293B2D9D21D6EB9B0_LogFile.txt

Filesize
4KB

MD5
9a892a63bfffe3e9ca96fff3a0848fea

SHA1
1b3745af75f8484d6fe5aa8dbc8c465f3d11e620

SHA256
4fa3bc79bf3e9f7c477168fb640aea4d7376a7038029cf371b85eefc56161120

SHA512
5954c8596edcbdbf29ead07923b6615cc1929bcb29c589c37bc980c3742d599ca0c095342953bcc173b09d636784fa35ac593249749b1a4928146ed89abe0216

Download Submit
C:\Users\Admin\AppData\Local\Temp\D06C433B9A2146C293B2D9D21D6EB9B0\D06C43~1.TXT

Filesize
28KB

MD5
2d1700684046e09801f9827398ec1707

SHA1
1ef535ccdfd9a18ad96445eb79150d3f389303a3

SHA256
2aed9af7288aed2e2f565ea017e58f97936079effa672dd18ef5827b6bfdb27a

SHA512
2a2b4e2a6defd0cc8fd2a3b46d9d3c8881bc1719efacce8dac8bf540d3e38a988e34e1206800b1d82cdca323176bc1afc894e41abe6029a514b9d4d0a752beaf

Download Submit
memory/1948-67-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1948-201-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download