Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 19:57
Static task
static1
Behavioral task
behavioral1
Sample
2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
Resource
win10v2004-20240508-en
General
-
Target
2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
-
Size
662KB
-
MD5
40d1300fe26d6d7e4588af86e3969525
-
SHA1
c46f4c2ebbb4411da36206afbd08843fa7f109f9
-
SHA256
2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a
-
SHA512
243cca9b084c952546c002b88033d3990a2719eaf906f4321e08cc725d7b34db46ac0c71d74a0cfc402c875c0dbb07446a2bd174d5b2608dd40344218061a599
-
SSDEEP
12288:8X/6dDqPkhJhW4KlYdMTUA8j0q7g2iZ1gwrRSUYj6MUWJa+/LMg09wvxLUX:+6dDqPk/QYdMTP2bwrwU1bToYX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2852 EXE33BD.tmp -
Loads dropped DLL 2 IoCs
pid Process 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 EXE33BD.tmp 2852 EXE33BD.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2852 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe 28 PID 1688 wrote to memory of 2852 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe 28 PID 1688 wrote to memory of 2852 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe 28 PID 1688 wrote to memory of 2852 1688 2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe 28 PID 2852 wrote to memory of 1932 2852 EXE33BD.tmp 29 PID 2852 wrote to memory of 1932 2852 EXE33BD.tmp 29 PID 2852 wrote to memory of 1932 2852 EXE33BD.tmp 29 PID 2852 wrote to memory of 1932 2852 EXE33BD.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe"C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\EXE33BD.tmp"C:\Users\Admin\AppData\Local\Temp\EXE33BD.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM33BE.tmp" "C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
980KB
MD534cabedafaf5ce498d245242ac48670e
SHA17a78f2a64618448f8118203f3c7225f6f84622d0
SHA2566dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39
SHA5126801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18
-
Filesize
192KB
MD5443a34e886b8b84081f2464e279adbb0
SHA102f47842a47e2d9f569a6df400fead756e46ebca
SHA256d4fa4084db5f230552a0fb537fb627b37addcd8082ff67fd11326ac14e81cfd7
SHA512a36f01a34782394a53e7219a40e7c028571c32e7a836c8836105629c9abf26cfc228bfe83371a84006aaeab36fa3556079af2339c93a96926e480692bd7a2136