5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
Size

11.5MB
MD5

7a5e0b31ca3759ec4964da0baa7a5579
SHA1

706a124458622ff1a47b9878cb08f2ada2ee5442
SHA256

5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2
SHA512

bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3
SSDEEP

196608:n2Gtl6DPRKTkNg8h8V2KQqGfyxXIicOExzUx8Bssun3f6B2+FDnVAA/uaeol:2GtA7RKQNg8h8V2KQH6uBsc9cA/xey

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
File opened (read-only)	\??\E:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
File opened (read-only)	\??\F:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3064	2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	28
PID 2172 wrote to memory of 3064	2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	28
PID 2172 wrote to memory of 3064	2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	28
PID 2172 wrote to memory of 3064	2172	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	28
PID 3064 wrote to memory of 2632	3064	cmd.exe	30
PID 3064 wrote to memory of 2632	3064	cmd.exe	30
PID 3064 wrote to memory of 2632	3064	cmd.exe	30
PID 3064 wrote to memory of 2632	3064	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
"C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\DC2DFDBDDCFC4A579C0AB4A5AB8EB8F0.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - F:\996m2\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
    "F:/996m2/5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"
    3⤵
    - Executes dropped EXE
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DC2DFDBDDCFC4A579C0AB4A5AB8EB8F0.bat

Filesize
81B

MD5
99c2970ef192ba50f2fdf47f22359e45

SHA1
78727fe381015f6b35299131a08b4570990d36af

SHA256
966a7b11c4a16b7f96ce28473a040f9e97e5a16d25a84596c27f7e3df8b8a22d

SHA512
1d3f3cb5ef2bb0e621b06aaed0c3a46eb148af7a88e7552976a5aa36a8b9c7355cb88343f974898a284f95df54d4f28c91121cae584015ed17b61140bb8d0336

Download Submit
C:\Users\Admin\AppData\Local\Temp\¾Å»Ä¹¥ËÙÈýÖ°Òµ.ini

Filesize
75B

MD5
e3febec7c9d89d6c7dca6f55195ed89f

SHA1
f98fb4c0fd3b7c926e1875fda3566388903f4eef

SHA256
d7e3aaf8d14b12596ce20a82487200fd3daa34db92f06c92703600519f02447c

SHA512
2c034ddf1eea4addc7eca9206e176083a363d5cb69ed8acd87f1fc6ba0c6fa7a7e004550dc7257bcb237d78afe8fb672c695a6b073643cc2c4efb9477321f1bf

Download Submit
F:\996m2\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Filesize
11.5MB

MD5
7a5e0b31ca3759ec4964da0baa7a5579

SHA1
706a124458622ff1a47b9878cb08f2ada2ee5442

SHA256
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2

SHA512
bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3

Download Submit
memory/2172-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-23-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download
memory/2632-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2632-24-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download