ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
Size

1.2MB
MD5

5c4e8e94fdb71b3ff3a21f09ac5139a3
SHA1

423a608f65cddad090bf6d157ab8b24ac033f105
SHA256

ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa
SHA512

23962f4feb869e2fcfaad80386def9b13ed431cc4184e56a9a131169ae589a8bb399dd949640d098d942b6d38bf9b9b9f4cbd91f887b6e1a445d80874e946e33
SSDEEP

24576:QUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7GqFT:QUNxvC6FGYJf6yjNQpNONZnTX5PlGPgY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	AutoHotkeyU64.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2328	2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe	28
PID 2100 wrote to memory of 2328	2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe	28
PID 2100 wrote to memory of 2328	2100	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe	28
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29
PID 2328 wrote to memory of 2340	2328	AutoHotkeyU64.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
"C:\Users\Admin\AppData\Local\Temp\ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\Documents\AutoHotkeyU64.exe
  C:\Users\Admin\Documents\AutoHotkeyU64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DOCUME~1\test.zip

Filesize
659KB

MD5
ecfff2ef9131457dced515713825041d

SHA1
3709b6fddcdd2c30ad2b79d617264f8f94c52b96

SHA256
c2205bea1e3cc1adba1b40c00f810b6927bbe3d2c373973f8a62c39acb4320c7

SHA512
c24cf73b42663bb6aacc5b1d3f8b5853be659eed264fc6b1e05d9d999995a0c70b100b4c4b147b56f17195ac5d9cd219b2119234d33887d9e98807824d417e6d

Download Submit
C:\Users\Admin\Documents\AutoHotkeyU64.ahk

Filesize
6KB

MD5
50b2fd640a95e3caf440bc3d8249c846

SHA1
46c7bd930438868a415b836b6aff4ca27cdf66f7

SHA256
d01e36c121b947001a82255fa8c767084daa0cee5f10f7816036aa87e2f4da9e

SHA512
a38b6b5bd38199bb08359750edc98c7d78f02f235ca530837ee2e5b6b6349bd96b132512e6db7f85da895f9ee4db3a791a97c59e4f543e9558dda02fa8797fa6

Download Submit
C:\Users\Admin\Documents\str.txt

Filesize
206KB

MD5
5faebcef5aa3a89fd67a311f470bd7ae

SHA1
6b406724e0addfd21d39c5b7b004bc5548c1f4d0

SHA256
3f63892d771615d05ab2b884369f8dea2e0a36a2704ab2009762ed1f33892aff

SHA512
d54dfb9a54e5ac92468397a94e393022802be65312d317d660fcb70c00ea91b23fc1167a9bca0b5c83dcb3a18fc9b1677bf82bb00de888a8631fec103b19e337

Download Submit
\Users\Admin\Documents\AutoHotkeyU64.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit