541a2c9068a75ba4d24a4a13dfc213c6737314540e50740b526418b6a461ec72

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 17:31

Target

f28160ad39dfc1d4ab1a077db2b0a8e0N.exe
Size

208KB
MD5

f28160ad39dfc1d4ab1a077db2b0a8e0
SHA1

80b19ab9f7f6d67d207501901d73c9cca545e9e0
SHA256

541a2c9068a75ba4d24a4a13dfc213c6737314540e50740b526418b6a461ec72
SHA512

8056da4f275a8ee899956d29698497df12e0584c1619e34064f606773c396c3d62aae1b32b5f531b14c2f954e58f468d6a4cac7735aa21d84fb4fbe9c6602126
SSDEEP

6144:qsH/owGxaqOndwa7jw0vMqRlNEBgs3me11QMeNcGBQEj:bfo+dwa7tLHCys0LQ

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2796	VLUM.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\VLUM.exe	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe
File opened for modification	C:\windows\VLUM.exe	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe
File created	C:\windows\VLUM.exe.bat	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2772	2756	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe	31
PID 2756 wrote to memory of 2772	2756	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe	31
PID 2756 wrote to memory of 2772	2756	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe	31
PID 2756 wrote to memory of 2772	2756	f28160ad39dfc1d4ab1a077db2b0a8e0N.exe	31
PID 2772 wrote to memory of 2796	2772	cmd.exe	33
PID 2772 wrote to memory of 2796	2772	cmd.exe	33
PID 2772 wrote to memory of 2796	2772	cmd.exe	33
PID 2772 wrote to memory of 2796	2772	cmd.exe	33

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\VLUM.exe.bat

Filesize
54B

MD5
cb62af1f53afef212c53387caeece443

SHA1
e452d61be093ce0111faa3874d5affabf6f8cb34

SHA256
37f50e0b70983781176a2ceea14c1ee87ece76fd8ee7ef784ce6cce2ff0246bd

SHA512
349a2ef2863263787847a0895c26e308ff66b7f2d1fc8d0f5410dcad281bffff46c229406c45ad78868513e50e64b82d88814064f5995a7ba161fef8305c0187

Download Submit
C:\windows\VLUM.exe

Filesize
208KB

MD5
694de50f9f9194102d7c959aca0a27a4

SHA1
c55ae07f8a9e3d56acf57f4633d798396f393def

SHA256
c3fda476c53c6082df844a36831b4898030daebf1e74ddbd2c72a70cce6f79bf

SHA512
67ee3a7f9f41602ab852edb83bf52e4ed4aab485d883496d9c6b3048a12d0f2060a50146c9afd5e92f6edc7bca92c65f267d70445548a0a79296a58cf8640fc8

Download Submit
memory/2756-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download