0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe
Size

1.5MB
MD5

50a5e891da27e63d54e68511e48aa026
SHA1

87073d85a7ba420b15c8bb9a9e4adc64db2bcfef
SHA256

0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6
SHA512

6df8811e3e1f6a4110ca3b7c498af13898b46962a30888879180b2f11dda24344a1de4807663d46dd86f7ea11855d08137980cc85fe71e688d082f2f79994909
SSDEEP

24576:AfHFw5b9DOnFYrv+kjqipUompMEoNMDYSkbDknoI6JK+ZYtEi8ETtAM5B:sjFYrv+kjV45oeYSRnyJhOtEVcf5B

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2380	detection.exe
2608	curl_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe
2380	detection.exe
2380	detection.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2392	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	30
PID 1976 wrote to memory of 2392	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	30
PID 1976 wrote to memory of 2392	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	30
PID 1976 wrote to memory of 2392	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	30
PID 1976 wrote to memory of 2380	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	32
PID 1976 wrote to memory of 2380	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	32
PID 1976 wrote to memory of 2380	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	32
PID 1976 wrote to memory of 2380	1976	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe	32
PID 2392 wrote to memory of 2732	2392	cmd.exe	34
PID 2392 wrote to memory of 2732	2392	cmd.exe	34
PID 2392 wrote to memory of 2732	2392	cmd.exe	34
PID 2392 wrote to memory of 2732	2392	cmd.exe	34
PID 2732 wrote to memory of 2856	2732	cmd.exe	36
PID 2732 wrote to memory of 2856	2732	cmd.exe	36
PID 2732 wrote to memory of 2856	2732	cmd.exe	36
PID 2732 wrote to memory of 2856	2732	cmd.exe	36
PID 2732 wrote to memory of 2784	2732	cmd.exe	37
PID 2732 wrote to memory of 2784	2732	cmd.exe	37
PID 2732 wrote to memory of 2784	2732	cmd.exe	37
PID 2732 wrote to memory of 2784	2732	cmd.exe	37
PID 2732 wrote to memory of 2840	2732	cmd.exe	38
PID 2732 wrote to memory of 2840	2732	cmd.exe	38
PID 2732 wrote to memory of 2840	2732	cmd.exe	38
PID 2732 wrote to memory of 2840	2732	cmd.exe	38
PID 2732 wrote to memory of 2728	2732	cmd.exe	39
PID 2732 wrote to memory of 2728	2732	cmd.exe	39
PID 2732 wrote to memory of 2728	2732	cmd.exe	39
PID 2732 wrote to memory of 2728	2732	cmd.exe	39
PID 2380 wrote to memory of 2608	2380	detection.exe	40
PID 2380 wrote to memory of 2608	2380	detection.exe	40
PID 2380 wrote to memory of 2608	2380	detection.exe	40
PID 2380 wrote to memory of 2608	2380	detection.exe	40

C:\Users\Admin\AppData\Local\Temp\0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe
"C:\Users\Admin\AppData\Local\Temp\0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C START "" "C:\Users\Admin\AppData\Local\Temp\interface.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\interface.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\mode.com
      MODE CON: COLS=76 LINES=15
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" VER "
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\findstr.exe
      FINDSTR /I /R /C:"version 5\.[0-1]\."
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\waitfor.exe
      WAITFOR unlock
      4⤵
      PID:2728
- C:\Users\Admin\AppData\Local\Temp\detection.exe
  "C:\Users\Admin\AppData\Local\Temp\detection.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\curl_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\curl_x64.exe" --connect-timeout 5 --max-time 20 --fail --silent --request GET "https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4"
    3⤵
    - Executes dropped EXE
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\interface.cmd

Filesize
2KB

MD5
e0eb53551aca2acff814ddd7aca212e2

SHA1
ee825c865d5abf244d6165ee838735f1ba05bfcb

SHA256
11993a03f68a33500a3ce8fbeb3e3c2042a28299d04f39eed40147709e76ca79

SHA512
ddde3d274b2ea8da0d645f88bd6b340902dca83e599ba0c7249953a7c1f2dd512f764802134a6efa1f48ca6cae23b78881569228f908dd0746abe3c46e95a348

Download Submit
C:\Users\Admin\AppData\Local\Temp\interface.lnk

Filesize
1KB

MD5
c4d150f76cedf9e2b4d6fdab11c76864

SHA1
445630f17f53c3749ec2a2a2283c9bd4a1725457

SHA256
20c452e6dd0269dbb7c87e08df941118072d058e014fa154b8ceaf6ee63a7a6d

SHA512
9ffd48d93ddf31b6252e303a37ccb8c734d84a7ce700c485c73501b4f0c24b0bf46de396139bb225849a7b71239672a775edc6eebd2ab85d15ebdceec8fb9a24

Download Submit
\Users\Admin\AppData\Local\Temp\curl_x64.exe

Filesize
840KB

MD5
e80c8cb9887a7c9426d4e843dddb8a44

SHA1
a04821e6d51f45b72a10bdbd3bb7e49de069ccd2

SHA256
3df4725778c0351e8472a0f8e18caf4fa9b95c98e4f2d160a26c3749f9869568

SHA512
41b4bd84336785d4da13b5653183bf2a405b918afad3acd934f253d23b1e00460173e36b2d65a61f77ef2b942dba735655fc5b4ec561c375896f5a010e053d33

Download Submit
\Users\Admin\AppData\Local\Temp\detection.exe

Filesize
1.1MB

MD5
02ba1c44b6392f013a7aa0b91314f45a

SHA1
724c1977101ecae88e4f104a8422b64bfec01a98

SHA256
7fbe59195f5f6f45c8b38b12488a169fdcb3a272004dbaf44c9d92a60a3690cb

SHA512
56bed935b028257e6eb485c555002f3e07e86788452cca0e28786098cc9254a7462b777a7a46ae6594911a73d786a6d15dee248f05a4c33a1bc749be071bcc3d

Download Submit
memory/1976-10-0x00000000031E0000-0x0000000003473000-memory.dmp

Filesize
2.6MB

Download
memory/1976-67-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1976-80-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1976-81-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2380-12-0x000000000068E000-0x000000000068F000-memory.dmp

Filesize
4KB

Download
memory/2380-11-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2380-68-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2380-78-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download