0da724bc5af61d4020d5f41a9915fedd10170ae6943d2fddc1ebb06f3914b373

Analysis

max time kernel
65s
max time network
68s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3967dd9ae2418cb60e9e1199034f4f50N.exe
Size

32KB
MD5

3967dd9ae2418cb60e9e1199034f4f50
SHA1

01cb692a947b2131c2a3de8158eefd7d04e513e4
SHA256

0da724bc5af61d4020d5f41a9915fedd10170ae6943d2fddc1ebb06f3914b373
SHA512

0d452324051e69e7de2e85f1bedf894d74566c0b0ddbfe6cd4bdb7f98ffeea6ee36b54d5957fa4adacd94d47281c177651b186896843be87b419c82da7f12724
SSDEEP

192:GAGqjRFGKMh9ED/IDExeorm9+Dfp0GjW5sH2t3AIa6abHa5tGbFOvhy:PVR8iQLoFx1jW5sIZR5tGwvU

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	Initech.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	3967dd9ae2418cb60e9e1199034f4f50N.exe
2432	3967dd9ae2418cb60e9e1199034f4f50N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Initech\\Initech.exe\" /run"	3967dd9ae2418cb60e9e1199034f4f50N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2300	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	29
PID 2432 wrote to memory of 2300	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	29
PID 2432 wrote to memory of 2300	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	29
PID 2432 wrote to memory of 2300	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	29
PID 2432 wrote to memory of 2960	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	30
PID 2432 wrote to memory of 2960	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	30
PID 2432 wrote to memory of 2960	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	30
PID 2432 wrote to memory of 2960	2432	3967dd9ae2418cb60e9e1199034f4f50N.exe	30

C:\Users\Admin\AppData\Local\Temp\3967dd9ae2418cb60e9e1199034f4f50N.exe
"C:\Users\Admin\AppData\Local\Temp\3967dd9ae2418cb60e9e1199034f4f50N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432
- C:\ProgramData\Initech\Initech.exe
  "C:\ProgramData\Initech\Initech.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\3967dd9ae2418cb60e9e1199034f4f50N.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Initech\Initech.exe

Filesize
32KB

MD5
faed25b4a51499a69c0873765dcf96c9

SHA1
5fa67960e33f5ddf7f7a10fca121493d52847fac

SHA256
dc5708c3ea1e4bbb8bffae7de17f588f95da34330f1aa4d8595e080258f54f50

SHA512
e6ad4f99df98b761fd3e5379734b460f4951cee0870b9bd2361bdfe3b8fc5b9be2b72dc2e864d145d46c9adad2f62652405659699ce11c1d43607807dfe3f93f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads