69ca1f26e0d34aea228ed37952cf42d5e80b5aef14ea98764c91a8d5e84ef8d4

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ElementB3.exe
Size

24.1MB
MD5

2ba594a545371004bb4fea5cbb8bbe57
SHA1

7c3465625cfa4d4a222ad63099d0084193f12fae
SHA256

69ca1f26e0d34aea228ed37952cf42d5e80b5aef14ea98764c91a8d5e84ef8d4
SHA512

3e776379b616db901d7562e72bce35e65ff0f8782d86e4f6902001341c816b84d0117b9458755943ffdd62a8f95f0f9c09b81ab525f0fcc770bd94a899044001
SSDEEP

786432:s2xCRhWTRKLhwRfsfyPuesatj4+HRsuJTxmwen:qWYLhwqfyPgat/HNYFn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	GPUpdate.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	ElementB3.exe
2476	GPUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2476	3020	ElementB3.exe	28
PID 3020 wrote to memory of 2476	3020	ElementB3.exe	28
PID 3020 wrote to memory of 2476	3020	ElementB3.exe	28

C:\Users\Admin\AppData\Local\Temp\ElementB3.exe
"C:\Users\Admin\AppData\Local\Temp\ElementB3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\onefile_3020_133642611585302000\GPUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\ElementB3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_3020_133642611585302000\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3020_133642611585302000\GPUpdate.exe

Filesize
42.3MB

MD5
578bf4cf3edf7420f2f270a8b5b8d25c

SHA1
6ba3ccfc966630a327c272ab673a162ee21f12ef

SHA256
5a888fb94b03b0e6e3bd8c3d3da4aa6cad81afa35ab1d4e8a8c6bdc40bd0d825

SHA512
f718f2675a63ea01ff148a7455196999e0c64113f4a47cf187661ea11727d0f1262cf1819d7559353e2246f640f639e5bac1558a78871cfe5792322ceaaabdc2

Download Submit
memory/2476-91-0x000000013FE70000-0x000000014296A000-memory.dmp

Filesize
43.0MB

Download
memory/3020-177-0x000000013F190000-0x00000001409BD000-memory.dmp

Filesize
24.2MB

Download