0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8

Analysis

max time kernel
23s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
Size

10.3MB
MD5

4c463143710774d2e2abb02c8526d546
SHA1

d9ad3b7bbf4d9897a0afe0cd635f591fcb59980d
SHA256

0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8
SHA512

575e0bbdaaf433a5aa8132561975fcadc27a909662cbffa54d1a63358bc0738a59b95f039602ef92dff08232d0147984022443cc5041bf5f1f0ab52a2a28d83e
SSDEEP

196608:qGs68aYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO0uFK:ds68aD4F3e+biSDcQwM8uDuj

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
1696	0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe

C:\Users\Admin\AppData\Local\Temp\0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe
"C:\Users\Admin\AppData\Local\Temp\0240b4d27e1beeec988a3846df1a80c7dbd8194fd3147fa960b3d59a271217c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1696
- C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
  "C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=1696
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf

Filesize
55KB

MD5
4a1b71ede6ff12456038f6a26e356a42

SHA1
16af6552ebbeb0300d1451715add745e840ff993

SHA256
0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee

SHA512
bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

Filesize
2.0MB

MD5
7ef192e1abc57225c174c0b855a7c898

SHA1
b3a39b59f6c93b3ff693e4224cb32d4fc9fe595b

SHA256
6eff05c9eb0838f63fa840ed29d44e8b432ea287cca5cd88c9bce08d60cdd109

SHA512
ee723cc90bf11ff3995f18ce9250fdf40ae4480497a2e02498afa0a1e2f3d106134ffbeab89e8763a5d835f7db0062c18c0abefb6983781e17e714105f2e9a72

Download Submit
\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

Filesize
2.0MB

MD5
7885bbdb353c408905c35a11718f9f0e

SHA1
c8c869ab80d88b5f2fb5a0ed8760df6c8812c82f

SHA256
de454ed642fc6ab800dcc6090a3ddf435858182a9658efb7e46e428532f53519

SHA512
e8f81474bef944e2d94420c5957b399da2f7b0c99032097f88df1f2614dcbf0041a6bc25c8cc260c798c2ce7a406c8be4e9b78645482d6bba574f9f8f7a82f79

Download Submit
\Users\Admin\AppData\Roaming\datatemp\libcurl.dll

Filesize
2.5MB

MD5
cc6ab2f8b7d330cde8ec9f482a31a4f2

SHA1
30e0ea85a861048d71f05ee26aa3afcd6b478f6e

SHA256
da6e0d46e18ae29f2f5a4a91ee6dbb84f34d81a604a8407637b2a4cd6f0b4d99

SHA512
9cb64f390a12e8392b30c9c9860f0fdb11e19a632326623fca6630e43564eac3ff077ac8c1a1214d6c24d195dea30e010674ffe1fb3402e386264bc297560398

Download Submit
memory/2820-25-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download