09c9f0fe785a2b75f9d471a7c30419cccddc4756ca5e5edc59b53dfa8f586e19

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9108f7dc126ac285529166e5b353b7f0N.exe
Size

193KB
MD5

9108f7dc126ac285529166e5b353b7f0
SHA1

68e89f40af426541c8d8e79bd7186aca7b706049
SHA256

09c9f0fe785a2b75f9d471a7c30419cccddc4756ca5e5edc59b53dfa8f586e19
SHA512

77e94d4574c88f991ee135946ff892630de63f3b3467ab3db8ffed1d2fd673f6946bf2ab09ed7c14182c3a501b9ee206ecb7facc1a4fd468047df4f99bf5c18a
SSDEEP

1536:vHSoNdVRsAXg993nNK6Y1Yu6nz50vVkdIJIfBNMooko/awOnkNQKaU65:fSsdVRsAXg7M1Y3nz520NMooks7NQKW5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1604	867.pif

Executes dropped EXE 2 IoCs

pid	Process
1604	867.pif
2732	9108f7dc126ac285529166e5b353b7f0N.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	9108f7dc126ac285529166e5b353b7f0N.exe
2412	9108f7dc126ac285529166e5b353b7f0N.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	867.pif
File opened (read-only)	\??\Q:	867.pif
File opened (read-only)	\??\S:	867.pif
File opened (read-only)	\??\T:	867.pif
File opened (read-only)	\??\O:	867.pif
File opened (read-only)	\??\X:	867.pif
File opened (read-only)	\??\Y:	867.pif
File opened (read-only)	\??\E:	867.pif
File opened (read-only)	\??\G:	867.pif
File opened (read-only)	\??\H:	867.pif
File opened (read-only)	\??\M:	867.pif
File opened (read-only)	\??\N:	867.pif
File opened (read-only)	\??\K:	867.pif
File opened (read-only)	\??\P:	867.pif
File opened (read-only)	\??\U:	867.pif
File opened (read-only)	\??\Z:	867.pif
File opened (read-only)	\??\J:	867.pif
File opened (read-only)	\??\L:	867.pif
File opened (read-only)	\??\R:	867.pif
File opened (read-only)	\??\V:	867.pif
File opened (read-only)	\??\W:	867.pif

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RCX9B78.tmp	867.pif
File opened for modification	C:\Windows\SysWOW64\userinit.exe18467	867.pif
File opened for modification	C:\Windows\SysWOW64\calc.exe15724	867.pif
File opened for modification	C:\Windows\SysWOW64\RCX9A9C.tmp	867.pif
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe26962	867.pif
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe24464	867.pif
File opened for modification	C:\Windows\SysWOW64\RCX9C05.tmp	867.pif
File opened for modification	C:\Windows\SysWOW64\RCX982A.tmp	867.pif
File opened for modification	C:\Windows\SysWOW64\RCX9A1E.tmp	867.pif
File opened for modification	C:\Windows\SysWOW64\notepad.exe11478	867.pif

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1604	2412	9108f7dc126ac285529166e5b353b7f0N.exe	30
PID 2412 wrote to memory of 1604	2412	9108f7dc126ac285529166e5b353b7f0N.exe	30
PID 2412 wrote to memory of 1604	2412	9108f7dc126ac285529166e5b353b7f0N.exe	30
PID 2412 wrote to memory of 1604	2412	9108f7dc126ac285529166e5b353b7f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\867.pif
  C:\Users\Admin\AppData\Local\Temp\867.pif ////DAEMON
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe"
    3⤵
    - Executes dropped EXE
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe

Filesize
9KB

MD5
1b19d302d7ffa3d0901b3d990a4e8e12

SHA1
1c06dbe26185e2956373118edc7543ee5fe9b6eb

SHA256
33ad4738b6342c9cc2da01402b26a4424c0adfddde9936d8926a86bf8d80d44f

SHA512
348405010f1af06ade0f4b9a27144e783c48777e93d0efd2d2f42c3dbac34dd9ca54ec7618120384f36b1a34bc0bcc0a38808080b8d6866c010743e327890293

Download Submit
C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe

Filesize
193KB

MD5
18a94dee66dbe444d0e39b29989c9236

SHA1
b1562e0ba270c0cf4080aa58bf86a59b4d800716

SHA256
cc91b89a33cbab9ff16e93437186ecc7e8519d1cbd7e66f00670b989680caeb5

SHA512
8eb255c9f70b9ec39718ffb335a71ab4c23853f1f9a894138e638a876b83291055881d90f905168778577817542b1bde44e6f1af02eb92cde79721784caa6772

Download Submit
\Users\Admin\AppData\Local\Temp\867.pif

Filesize
184KB

MD5
20904784941ced9d9be448b07c91a987

SHA1
dae73b52ca7112abdb7c79881ba075503c43607c

SHA256
53973c0c3e219bc68a1cb18f717b7c89e5599da3db3d28f42554b8d8eeeb43de

SHA512
8ade6acd0a4b2e69325de5953f109b4c8b19d6ba7719fe9755e3cc4f7e6fa65db1780869bd928776d384115ed50736ca80bfffd3d1f887fb48dac042c473860d

Download Submit