7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe
Size

493KB
MD5

6c7c9d9afcd3b7cc99e8b8b3c87099bb
SHA1

504fd9faa6fb6b0f754fc0b412674b87db9597f7
SHA256

7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1
SHA512

df9c66f0dddbf1adf4e178ec5173a5c73d88d6c4e87e140a48498d983c90da0f73a0fb054ad03f40ada2312c02a387822219e6e1990cef4eeded72ec550a0acf
SSDEEP

12288:8X/6dDqPkhJhW4KlYdMTUA8j0q7g2iZ1gwrRSU0:+6dDqPk/QYdMTP2bwrwU0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	EXE29DE.tmp

Loads dropped DLL 2 IoCs

pid	Process
1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe
1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	EXE29DE.tmp
2032	EXE29DE.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2032	1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe	28
PID 1952 wrote to memory of 2032	1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe	28
PID 1952 wrote to memory of 2032	1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe	28
PID 1952 wrote to memory of 2032	1952	7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe	28
PID 2032 wrote to memory of 2648	2032	EXE29DE.tmp	29
PID 2032 wrote to memory of 2648	2032	EXE29DE.tmp	29
PID 2032 wrote to memory of 2648	2032	EXE29DE.tmp	29
PID 2032 wrote to memory of 2648	2032	EXE29DE.tmp	29

C:\Users\Admin\AppData\Local\Temp\7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe
"C:\Users\Admin\AppData\Local\Temp\7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\EXE29DE.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE29DE.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM29DF.tmp" "C:\Users\Admin\AppData\Local\Temp\7899ab47387f1bd28b0c9e9ee21c0252cbf6c8665195d21f81a447409c7060a1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFM29DF.tmp

Filesize
32KB

MD5
6b20b58098226178c1644cdc8bd17068

SHA1
60769d8cff1c42a304be0e5efa02a661105fc94e

SHA256
0854c46d27555fbab673151eda2cb3a6679afc5b2488320e33f5fd9fa2b85525

SHA512
9fc0686b17eeb7a0cde3d36bd8a7b34ff18c951156e45c5c613c983393bf50cd3d89625f320e7933a58789f4b2505f1d6d5c09bda4b7b7916267ff20ece7776b

Download Submit
\Users\Admin\AppData\Local\Temp\EXE29DE.tmp

Filesize
980KB

MD5
34cabedafaf5ce498d245242ac48670e

SHA1
7a78f2a64618448f8118203f3c7225f6f84622d0

SHA256
6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39

SHA512
6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

Download Submit