f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe
Size

36KB
MD5

1033d8e7be1fae8cabc05bd3114399a6
SHA1

2b3c21b6fa9d4faea5d01cf7b0a4f11795c162dc
SHA256

f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e
SHA512

a5f6cb9adf83135b25f7019c5701101e82f0bb79b850f185623644fc6a39d4f0fa40fb19e7704314707ec4b59d846a73e91b092f9aa81e74e46d93aac4b83068
SSDEEP

384:y9azGWcd5DUVQQZM+JKcCNwU1Mf9Yl4ynIs3guaJDMe20rND:+azGWc7RY1JgNwmZlj3p6C0rR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	ztdvl.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2360	2128	f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe	28
PID 2128 wrote to memory of 2360	2128	f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe	28
PID 2128 wrote to memory of 2360	2128	f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe	28
PID 2128 wrote to memory of 2360	2128	f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe	28

C:\Users\Admin\AppData\Local\Temp\f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe
"C:\Users\Admin\AppData\Local\Temp\f054850c537d82bf747e5702c6f4000d349894877d614d5a53a0e11068bef00e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\ztdvl.exe
  "C:\Users\Admin\AppData\Local\Temp\ztdvl.exe"
  2⤵
  - Executes dropped EXE
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ztdvl.exe

Filesize
37KB

MD5
3810b989fe5a4e99087647130b4e7b50

SHA1
b11f0883a76a0ccafe7ad7746642893012737420

SHA256
ebab29f25dd4f4dda1b2b7f08d141c902f3f85e60e62893fddf9bc077b9fdd62

SHA512
db8aa0f2da2180e056ef68d0e37b777a080bde4d92ea5fb0b49fd3fa955021fba81f303beb6b0a05e160a750f029a6f93844427ab31c3a9190fb97974aacfaa7

Download Submit
memory/2128-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-2-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2128-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2360-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download