066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 20:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe
Size

539KB
MD5

68af07d9d839b26be3d1b2a962f838b0
SHA1

40694d69f0e2a24c7028506364dcba840a90a457
SHA256

066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b
SHA512

13a3e89e11eb9857a85ddedb5f053a936e84c758a25dbeb7afd5b9a42969fe337e6b17c5156979e6a208367faa1fa64873a76348183251bb01a689fc0cad0a1b
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiUq:vDVBADt1ZKlX0q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	EXE5BB.tmp

Loads dropped DLL 2 IoCs

pid	Process
2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe
2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	EXE5BB.tmp
2928	EXE5BB.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2928	2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe	28
PID 2136 wrote to memory of 2928	2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe	28
PID 2136 wrote to memory of 2928	2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe	28
PID 2136 wrote to memory of 2928	2136	066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe	28
PID 2928 wrote to memory of 2788	2928	EXE5BB.tmp	29
PID 2928 wrote to memory of 2788	2928	EXE5BB.tmp	29
PID 2928 wrote to memory of 2788	2928	EXE5BB.tmp	29
PID 2928 wrote to memory of 2788	2928	EXE5BB.tmp	29

C:\Users\Admin\AppData\Local\Temp\066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe
"C:\Users\Admin\AppData\Local\Temp\066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\EXE5BB.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE5BB.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM5BC.tmp" "C:\Users\Admin\AppData\Local\Temp\066568919bee2e4f10305f788623bfe8f3f8a54ff525dba56486328aa9d49f3b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFM5BC.tmp

Filesize
256KB

MD5
c791719ee24556ffd638866447f6b43f

SHA1
ce9faa7b6b215babc3e81146fab941ddf6a279b2

SHA256
acfc94d65066834627a5647c55c6a21c5159d98ed634d039147a54bae5cf24a0

SHA512
6089ede409358dfc40fd526797920f038ab607dd19bf87834b0c9fc07630bc5799d73a344c3991389e607f8162d13d2426f9ad1c3b28acc71f7d6d77b7cc09dc

Download Submit
\Users\Admin\AppData\Local\Temp\EXE5BB.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit