543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
Size

11.5MB
MD5

2619b49efeb36039e12a0c0feeedc58d
SHA1

47dd9cea6caa0149a3643c461a42e59291e1cf74
SHA256

543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129
SHA512

b2878b6c7479fbb1ee1ae2679643f0d5df0e19187c1a2eaca72c69b43e28a1262e200b62a64b9f79e1a98f97893ea2b652b022b0ebafdaf6a3405a2bc598c143
SSDEEP

196608:n2Gtl6DPRKTkNg8h8V2KQqGfyxXIicOExzUx8Bssun3f6B2+FGjqBwHs2q:2GtA7RKQNg8h8V2KQH6uBsc9oqBF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
File opened (read-only)	\??\E:	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
File opened (read-only)	\??\F:	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2760	2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe	31
PID 2708 wrote to memory of 2760	2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe	31
PID 2708 wrote to memory of 2760	2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe	31
PID 2708 wrote to memory of 2760	2708	543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe	31
PID 2760 wrote to memory of 3008	2760	cmd.exe	33
PID 2760 wrote to memory of 3008	2760	cmd.exe	33
PID 2760 wrote to memory of 3008	2760	cmd.exe	33
PID 2760 wrote to memory of 3008	2760	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
"C:\Users\Admin\AppData\Local\Temp\543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2FA428009CB449918875410398C5CD90.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - F:\996m2\543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe
    "F:/996m2/543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe"
    3⤵
    - Executes dropped EXE
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2FA428009CB449918875410398C5CD90.bat

Filesize
81B

MD5
38a9332ff2dacc107ab3af22a0c41484

SHA1
795f79956151bd8b242010a04dd7d4409a6cbff9

SHA256
37ada7613328a35140593766a36aa6edd9953037ba8efd509250f87a9cca96c4

SHA512
62137462251e94a444bc2394326f7d2c8ae0c3de43c1c618c16158c0b0059ee8dbcfd226c151043e63ab5d9c5f6faf1feda6c4dd2b4ef6c83c218c66c077551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\°ëÏÄ´«Ææ.ini

Filesize
75B

MD5
e3febec7c9d89d6c7dca6f55195ed89f

SHA1
f98fb4c0fd3b7c926e1875fda3566388903f4eef

SHA256
d7e3aaf8d14b12596ce20a82487200fd3daa34db92f06c92703600519f02447c

SHA512
2c034ddf1eea4addc7eca9206e176083a363d5cb69ed8acd87f1fc6ba0c6fa7a7e004550dc7257bcb237d78afe8fb672c695a6b073643cc2c4efb9477321f1bf

Download Submit
F:\996m2\543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129.exe

Filesize
11.5MB

MD5
2619b49efeb36039e12a0c0feeedc58d

SHA1
47dd9cea6caa0149a3643c461a42e59291e1cf74

SHA256
543a52f807eae486f192899530513ee26884d7203aeeec0e4dff9a2cad930129

SHA512
b2878b6c7479fbb1ee1ae2679643f0d5df0e19187c1a2eaca72c69b43e28a1262e200b62a64b9f79e1a98f97893ea2b652b022b0ebafdaf6a3405a2bc598c143

Download Submit
memory/2708-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2708-22-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download
memory/3008-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3008-24-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download