c4990aebded04b1f4a9c34072e736771183d8dcd091adf27ede3cb8c04ba520c

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe
Size

2.6MB
MD5

c8432b773d48e5e0a9f2d1ecb7c557f8
SHA1

ffd30a12849776a23351e9e768fc7b635553c271
SHA256

68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999
SHA512

7d2e4e382f9591f0ba5098d6a265f6b70b5a6c360f6223ac0309edf7bea7c13c4b951888244ddafb512127b2c192075aeaf77a93ded3a1336e822abcfd83ebc8
SSDEEP

49152:KDjlabwz9PDjlabwz96f+wrja6tTPZYoUKm5OeNRwXIM2BfM3:6qwhqws+ia6tzZ1Zm5OmRwX0B+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2884	work.exe
1684	fesygh.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe
1684	fesygh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1684	fesygh.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2768	2416	68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe	28
PID 2416 wrote to memory of 2768	2416	68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe	28
PID 2416 wrote to memory of 2768	2416	68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe	28
PID 2768 wrote to memory of 2884	2768	cmd.exe	30
PID 2768 wrote to memory of 2884	2768	cmd.exe	30
PID 2768 wrote to memory of 2884	2768	cmd.exe	30
PID 2884 wrote to memory of 1684	2884	work.exe	31
PID 2884 wrote to memory of 1684	2884	work.exe	31
PID 2884 wrote to memory of 1684	2884	work.exe	31
PID 2884 wrote to memory of 1684	2884	work.exe	31

C:\Users\Admin\AppData\Local\Temp\68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe
"C:\Users\Admin\AppData\Local\Temp\68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesygh.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesygh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
2.2MB

MD5
0fa5c74f07d73aafaafc23af988de1cb

SHA1
983c56fecc490a5721f69bf0110834eb2ec99e74

SHA256
692d78b34f0b5529280379a9fca8eed5d07ad378433cc59d9fe3e96a30d8ddc1

SHA512
e44aa8712d8bac4168d9f2f8e163daa289e3f257db01803a59f84e881336093025573bdd9f064f4b1e0edbb0221b434c2aa6b58003da6682950dadad54e5f414

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesygh.exe

Filesize
1.8MB

MD5
596a208b0986edaa3f8dae751e2d0a4c

SHA1
101fc93688b28b1566d132f20d03b35a3e6ac083

SHA256
27976f8a3228f36bf268be4f3aade11d7ef07b0d81df6935e5b240cfa87b5661

SHA512
dbfa35919d31e2361f62adeb3110495c5b946f89b78d07e27d924d9aafbe6b63944185f1262b99237dc485286c5f5916b70f40d98afa138578b882e9fad263c9

Download Submit
memory/1684-33-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-34-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-35-0x0000000001457000-0x0000000001542000-memory.dmp

Filesize
940KB

Download
memory/1684-37-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-38-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-39-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-40-0x0000000001457000-0x0000000001542000-memory.dmp

Filesize
940KB

Download
memory/1684-41-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-42-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-43-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-44-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-45-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-46-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-47-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-48-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-49-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-50-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-51-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download
memory/1684-52-0x0000000001040000-0x0000000001542000-memory.dmp

Filesize
5.0MB

Download