a40d966434b52a7d0eefeddd0345a26b04cad7c19b6122f365d12fd49e9920c1

Analysis

max time kernel
141s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ha_ezwipe291_syg.exe
Size

734KB
MD5

a19ad05b09f5353a62f5f1052257ba68
SHA1

9511ade810e2f972a96ea9e1c4d3d337065ae546
SHA256

85813d4063a02baa0ee3a8f76cb80b5abe6d94bfec5bf1729e6f43dfa763e097
SHA512

66dcff4ca661e275c8e89b0ca8c8ccf6a8eff9db08fde0925716611003e648285d33d3fef0ec284a6f1893d261c37e85d29a4e626bd03a8c4c1e2bfc624c5cd8
SSDEEP

12288:/2UtBLWA8Uy3E0nBokiE02QUU6nSZsnDIaocvrWuTdcKrqOTujMI7y2Ss8KVxJRc:/2U3HHGE0+kz7QUrnDEcvrWuTUB7yjxF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1596	ha_ezwipe291_syg.tmp

Loads dropped DLL 3 IoCs

pid	Process
1596	ha_ezwipe291_syg.tmp
1596	ha_ezwipe291_syg.tmp
1596	ha_ezwipe291_syg.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1596	ha_ezwipe291_syg.tmp
1596	ha_ezwipe291_syg.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1596	1392	ha_ezwipe291_syg.exe	83
PID 1392 wrote to memory of 1596	1392	ha_ezwipe291_syg.exe	83
PID 1392 wrote to memory of 1596	1392	ha_ezwipe291_syg.exe	83

C:\Users\Admin\AppData\Local\Temp\ha_ezwipe291_syg.exe
"C:\Users\Admin\AppData\Local\Temp\ha_ezwipe291_syg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\is-M803K.tmp\ha_ezwipe291_syg.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M803K.tmp\ha_ezwipe291_syg.tmp" /SL5="$5026A,484292,53248,C:\Users\Admin\AppData\Local\Temp\ha_ezwipe291_syg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H98IE.tmp\gifctrl.dll

Filesize
13KB

MD5
aafb72be02a69880709ce0f831aca6cc

SHA1
7a099ac160efe301c23aec8d26636dbb3c8b745f

SHA256
6e6b107f43df35b336147599513474e846fad55b900ad366a81f87e32eaafd57

SHA512
4c5d963e6a74d38883597af28ce28dc071fa7558ad6d4825a3a00bff0482d526884fbf64e851ab6570d5ba0e9a83d2170684d2f0e5cbcfc84fc91bf56ece2d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H98IE.tmp\waterctrl.dll

Filesize
16KB

MD5
aefd35a23680fda066a05e4b5f6dc88e

SHA1
8278021d560722701c1f3b91b85ed96bf34bed0c

SHA256
bbc65291a3bcfb6559c391e251bca12d6b935a8a8de0825443642aa2b5e39e78

SHA512
7ac32589e0bf8889e36184058e1f2ae0a0b6c701188ed18fbaf5b45afcff06eecb760d29e342953d50091fb14ef2ee8fb3285a1ec2c1dadec3ecea18fcfe56a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M803K.tmp\ha_ezwipe291_syg.tmp

Filesize
680KB

MD5
5541b9dce56442c67dd1cb8af995a64e

SHA1
ff705bab3b80f62aada7074e7754dfc65effd32c

SHA256
1364bc3fcfb5a68f9f260e18444e59c8495e732ec097b8b175140f136e707803

SHA512
f01e0855fb62ec43f338293b35fbbce6374bd62eacff98973d38b139c93c15198e62880bbefb08a487861c8719c3e0d05212b54eb4534c3af2fd7bb1c9226aeb

Download Submit
memory/1392-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1392-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1596-12-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1596-30-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download