Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe
Resource
win10v2004-20240508-en
General
-
Target
fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe
-
Size
1.9MB
-
MD5
76e25df71338301932c5b8aade8d479a
-
SHA1
fbf138d299e0f7c2599cfbce8d77054357750d92
-
SHA256
fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5
-
SHA512
cfaae97d691e68db5dd811af25e0221d50e7f9a6bb3647792ba9ee5733169bf8b58c4f0d34a5b557c259e6d72c850bb5cc1e6a53d1b1d4e7eb0ff0c7bcb4db04
-
SSDEEP
24576:f/ndghONSC29PdD9DecME/Ccf2gpgGVB/actsMNqkPW2E1Y0:fmhOP2pXD1+gp1rswE1Y0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1816 wrote to memory of 2716 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 91 PID 1816 wrote to memory of 2716 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 91 PID 1816 wrote to memory of 2716 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 91 PID 1816 wrote to memory of 4432 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 93 PID 1816 wrote to memory of 4432 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 93 PID 1816 wrote to memory of 4432 1816 fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe"C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp2⤵PID:2716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp2⤵PID:4432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD574ea83a987cf7e29fe79b16b15b4bbed
SHA1452a79ee1211fad2efdfaf203e4b092f937208fc
SHA2569b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d
SHA51235334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355