Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
MARD_25_2/Point32.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MARD_25_2/Point32.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
MARD_25_2/Update.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
MARD_25_2/Update.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
MARD_25_2/atwtusb.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
MARD_25_2/atwtusb.exe
Resource
win10v2004-20240704-en
General
-
Target
MARD_25_2/atwtusb.exe
-
Size
600KB
-
MD5
ad9dd508d210487f099ab56fe2ea40d6
-
SHA1
031e2c1d484c8c215f48f851df8cda2ac2e7dd96
-
SHA256
46c05479987097e5d4a4a128db1011182bdd9ed339ef97ef6a99bd973bc5738f
-
SHA512
58905b72ec63bbd8ce6f7623b16a17e91c4be53357bebe2dbefbf2cf2165ef555848916039db00160e4537e3ee8820a590ac0c845ad89ee9921321ebb8488f92
-
SSDEEP
12288:lJeJfEuGstgg/kjp98zHpie5nsaIQVbOIi7ulr:lJeJfAqkjp98zHpieds+bXp
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
atwtusb.exePoint32.exepid process 2336 atwtusb.exe 2132 Point32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Point32.exeatwtusb.exepid process 2132 Point32.exe 2336 atwtusb.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
atwtusb.exePoint32.exepid process 2336 atwtusb.exe 2336 atwtusb.exe 2132 Point32.exe 2132 Point32.exe 2132 Point32.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
atwtusb.exePoint32.exepid process 2336 atwtusb.exe 2336 atwtusb.exe 2132 Point32.exe 2132 Point32.exe 2132 Point32.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe 2336 atwtusb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
atwtusb.exedescription pid process target process PID 2336 wrote to memory of 2132 2336 atwtusb.exe Point32.exe PID 2336 wrote to memory of 2132 2336 atwtusb.exe Point32.exe PID 2336 wrote to memory of 2132 2336 atwtusb.exe Point32.exe PID 2336 wrote to memory of 2132 2336 atwtusb.exe Point32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MARD_25_2\atwtusb.exe"C:\Users\Admin\AppData\Local\Temp\MARD_25_2\atwtusb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\MARD_25_2\Point32.exePoint32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132