Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
MARD_25_2/Point32.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MARD_25_2/Point32.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
MARD_25_2/Update.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
MARD_25_2/Update.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
MARD_25_2/atwtusb.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
MARD_25_2/atwtusb.exe
Resource
win10v2004-20240704-en
General
-
Target
MARD_25_2/Point32.exe
-
Size
512KB
-
MD5
50b759474208ed15db3e792da2f39a72
-
SHA1
eef49a36c3275f5529f9b6cbd4124765bb147543
-
SHA256
2810028f749d734fb09fca8aaa4e0dc67ad794fff1f4872bee88452bd7075568
-
SHA512
a59e10401f8cdba98716d5a3fd36ba1e4ec239becf4cf9c560c9da20ca874893cdad135b9aeba1d535e0b642eae37f5555fc6777426bd7de29182516ff1caee2
-
SSDEEP
6144:4/8JeJfEuGs8k/bUlgqjpJDHCq17WSTLp980sbpy3KR/ie5bTEju4IIQVa:lJeJfEuGstgg/kjp98zHpie5nsaIQVa
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Point32.exeatwtusb.exepid process 3428 Point32.exe 3428 Point32.exe 4184 atwtusb.exe 4184 atwtusb.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Point32.exeatwtusb.exepid process 3428 Point32.exe 4184 atwtusb.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Point32.exeatwtusb.exepid process 3428 Point32.exe 3428 Point32.exe 3428 Point32.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Point32.exeatwtusb.exepid process 3428 Point32.exe 3428 Point32.exe 3428 Point32.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe 4184 atwtusb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Point32.exedescription pid process target process PID 3428 wrote to memory of 4184 3428 Point32.exe atwtusb.exe PID 3428 wrote to memory of 4184 3428 Point32.exe atwtusb.exe PID 3428 wrote to memory of 4184 3428 Point32.exe atwtusb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MARD_25_2\Point32.exe"C:\Users\Admin\AppData\Local\Temp\MARD_25_2\Point32.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\MARD_25_2\atwtusb.exeatwtusb.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184