0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe
Size

308KB
MD5

d4955fc98c22f0a2952ee213e9acbcec
SHA1

87757f2d314e24cc5b2e6c15e052cdb2a8733c53
SHA256

0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b
SHA512

5287c7a4f995f57418fc2edf278ecb8119d1e82579103ed1e2e9e27939837a49839695f6609aaee39b8190efd0a3569e8d9ab38169659fa1dbc43e39a8fda3f0
SSDEEP

6144:SCGaECnpAoDO1A8dg3iTPJLMfgQZX+tJs0dxm:DGHCnaomAEg3uPdkgOX+tZdxm

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1796	2168	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	28
PID 2168 wrote to memory of 1796	2168	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	28
PID 2168 wrote to memory of 1796	2168	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	28
PID 2168 wrote to memory of 1796	2168	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	28
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29
PID 1796 wrote to memory of 2320	1796	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe
"C:\Users\Admin\AppData\Local\Temp\0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WeCominstall.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeCominstall.cmd" "
    3⤵
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WeCominstall.cmd

Filesize
899B

MD5
6b0dcdd9603f5630f74a264e4c0762d3

SHA1
b8adc858ed4156589653ad57c003d3a74e7a3f53

SHA256
0d741448e6a1dc4102c2310e53427cb9765341abdabf4e582e38dde607086a19

SHA512
4f9641077a46843bffce06bd4ac18c3629b8d2d804657ed151b51875e90776656174cea18d197d5e0717064f57f89eddb25b2b4c41fb2b5a9356451fa7291a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeCominstall.vbs

Filesize
144B

MD5
34f9b74003e36d0e7871afebbf1c0a4e

SHA1
e6d0713917ec148e8e3ebcc0c6b345516a9f15fd

SHA256
81afdfa77b5f948db65b0d853eda670c89710e2cfbefc5fb4a6ff5da383d1e7c

SHA512
329030af776732bddd32b7d0aeaafd2f1609bbc2fe73c39ef6c206be7523e5101ea0c501c50f4f290d94477a7785046aede99d134eaa6c28a372b491a067bbe4

Download Submit