2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
Size

662KB
MD5

40d1300fe26d6d7e4588af86e3969525
SHA1

c46f4c2ebbb4411da36206afbd08843fa7f109f9
SHA256

2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a
SHA512

243cca9b084c952546c002b88033d3990a2719eaf906f4321e08cc725d7b34db46ac0c71d74a0cfc402c875c0dbb07446a2bd174d5b2608dd40344218061a599
SSDEEP

12288:8X/6dDqPkhJhW4KlYdMTUA8j0q7g2iZ1gwrRSUYj6MUWJa+/LMg09wvxLUX:+6dDqPk/QYdMTP2bwrwU1bToYX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2852	EXE33BD.tmp

Loads dropped DLL 2 IoCs

pid	Process
1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	EXE33BD.tmp
2852	EXE33BD.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2852	1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe	28
PID 1688 wrote to memory of 2852	1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe	28
PID 1688 wrote to memory of 2852	1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe	28
PID 1688 wrote to memory of 2852	1688	2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe	28
PID 2852 wrote to memory of 1932	2852	EXE33BD.tmp	29
PID 2852 wrote to memory of 1932	2852	EXE33BD.tmp	29
PID 2852 wrote to memory of 1932	2852	EXE33BD.tmp	29
PID 2852 wrote to memory of 1932	2852	EXE33BD.tmp	29

C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe
"C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\EXE33BD.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE33BD.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM33BE.tmp" "C:\Users\Admin\AppData\Local\Temp\2af2fcc2f3944439a6faa4d48ae765209f039eb81c9adb746879510783149a4a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE33BD.tmp

Filesize
980KB

MD5
34cabedafaf5ce498d245242ac48670e

SHA1
7a78f2a64618448f8118203f3c7225f6f84622d0

SHA256
6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39

SHA512
6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM33BE.tmp

Filesize
192KB

MD5
443a34e886b8b84081f2464e279adbb0

SHA1
02f47842a47e2d9f569a6df400fead756e46ebca

SHA256
d4fa4084db5f230552a0fb537fb627b37addcd8082ff67fd11326ac14e81cfd7

SHA512
a36f01a34782394a53e7219a40e7c028571c32e7a836c8836105629c9abf26cfc228bfe83371a84006aaeab36fa3556079af2339c93a96926e480692bd7a2136

Download Submit