09c9f0fe785a2b75f9d471a7c30419cccddc4756ca5e5edc59b53dfa8f586e19

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9108f7dc126ac285529166e5b353b7f0N.exe
Size

193KB
MD5

9108f7dc126ac285529166e5b353b7f0
SHA1

68e89f40af426541c8d8e79bd7186aca7b706049
SHA256

09c9f0fe785a2b75f9d471a7c30419cccddc4756ca5e5edc59b53dfa8f586e19
SHA512

77e94d4574c88f991ee135946ff892630de63f3b3467ab3db8ffed1d2fd673f6946bf2ab09ed7c14182c3a501b9ee206ecb7facc1a4fd468047df4f99bf5c18a
SSDEEP

1536:vHSoNdVRsAXg993nNK6Y1Yu6nz50vVkdIJIfBNMooko/awOnkNQKaU65:fSsdVRsAXg7M1Y3nz520NMooks7NQKW5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4620	585.pif

Executes dropped EXE 2 IoCs

pid	Process
4620	585.pif
3076	9108f7dc126ac285529166e5b353b7f0N.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	585.pif
File opened (read-only)	\??\Q:	585.pif
File opened (read-only)	\??\V:	585.pif
File opened (read-only)	\??\T:	585.pif
File opened (read-only)	\??\Z:	585.pif
File opened (read-only)	\??\H:	585.pif
File opened (read-only)	\??\J:	585.pif
File opened (read-only)	\??\L:	585.pif
File opened (read-only)	\??\M:	585.pif
File opened (read-only)	\??\S:	585.pif
File opened (read-only)	\??\U:	585.pif
File opened (read-only)	\??\X:	585.pif
File opened (read-only)	\??\Y:	585.pif
File opened (read-only)	\??\E:	585.pif
File opened (read-only)	\??\G:	585.pif
File opened (read-only)	\??\K:	585.pif
File opened (read-only)	\??\N:	585.pif
File opened (read-only)	\??\I:	585.pif
File opened (read-only)	\??\O:	585.pif
File opened (read-only)	\??\R:	585.pif
File opened (read-only)	\??\W:	585.pif

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\calc.exe15724	585.pif
File opened for modification	C:\Windows\SysWOW64\RCXA0B5.tmp	585.pif
File opened for modification	C:\Windows\SysWOW64\notepad.exe11478	585.pif
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe24464	585.pif
File opened for modification	C:\Windows\SysWOW64\userinit.exe18467	585.pif
File opened for modification	C:\Windows\SysWOW64\RCX9EEF.tmp	585.pif
File opened for modification	C:\Windows\SysWOW64\RCXA133.tmp	585.pif
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe26962	585.pif
File opened for modification	C:\Windows\SysWOW64\RCXA23E.tmp	585.pif
File opened for modification	C:\Windows\SysWOW64\RCXA2FB.tmp	585.pif

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4620	916	9108f7dc126ac285529166e5b353b7f0N.exe	83
PID 916 wrote to memory of 4620	916	9108f7dc126ac285529166e5b353b7f0N.exe	83
PID 916 wrote to memory of 4620	916	9108f7dc126ac285529166e5b353b7f0N.exe	83
PID 4620 wrote to memory of 3076	4620	585.pif	89
PID 4620 wrote to memory of 3076	4620	585.pif	89
PID 4620 wrote to memory of 3076	4620	585.pif	89

C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\585.pif
  C:\Users\Admin\AppData\Local\Temp\585.pif ////DAEMON
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe"
    3⤵
    - Executes dropped EXE
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\585.pif

Filesize
184KB

MD5
20904784941ced9d9be448b07c91a987

SHA1
dae73b52ca7112abdb7c79881ba075503c43607c

SHA256
53973c0c3e219bc68a1cb18f717b7c89e5599da3db3d28f42554b8d8eeeb43de

SHA512
8ade6acd0a4b2e69325de5953f109b4c8b19d6ba7719fe9755e3cc4f7e6fa65db1780869bd928776d384115ed50736ca80bfffd3d1f887fb48dac042c473860d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe

Filesize
193KB

MD5
18a94dee66dbe444d0e39b29989c9236

SHA1
b1562e0ba270c0cf4080aa58bf86a59b4d800716

SHA256
cc91b89a33cbab9ff16e93437186ecc7e8519d1cbd7e66f00670b989680caeb5

SHA512
8eb255c9f70b9ec39718ffb335a71ab4c23853f1f9a894138e638a876b83291055881d90f905168778577817542b1bde44e6f1af02eb92cde79721784caa6772

Download Submit
C:\Users\Admin\AppData\Local\Temp\9108f7dc126ac285529166e5b353b7f0N.exe

Filesize
9KB

MD5
1b19d302d7ffa3d0901b3d990a4e8e12

SHA1
1c06dbe26185e2956373118edc7543ee5fe9b6eb

SHA256
33ad4738b6342c9cc2da01402b26a4424c0adfddde9936d8926a86bf8d80d44f

SHA512
348405010f1af06ade0f4b9a27144e783c48777e93d0efd2d2f42c3dbac34dd9ca54ec7618120384f36b1a34bc0bcc0a38808080b8d6866c010743e327890293

Download Submit
C:\Windows\SysWOW64\userinit.exe18467

Filesize
211KB

MD5
615a4554e9c189a14081b10b57c4d9c5

SHA1
8995c22632cae957f0c77cf170e5a9d7e16df140

SHA256
c01d41e02854d13ac9a008bde0be1abffc20c580f8cacb397045f4166768544e

SHA512
c82a62a423843a2ae17aae5c1efbdf17f50d6134ec4db34a93d06df1ea6eb66ef3181fe2f12719f853282d467cb864c352bcbcdf3524af455bc2b8cba48ff987

Download Submit