612daa13770e7ca0f61b173c4a2c9790f7cd8b109bb886f80cb257dfce623451

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985d6ab0e9e57850cf7ed9f331ae36a0N.exe
Size

539KB
MD5

985d6ab0e9e57850cf7ed9f331ae36a0
SHA1

9dcbb36de4f8a99a7ffca73240dedea6ee33fac9
SHA256

612daa13770e7ca0f61b173c4a2c9790f7cd8b109bb886f80cb257dfce623451
SHA512

803fe1087e1dae4aa4919f3cf7d8f14e69c2d8fb9210600f98151d3a6ccf866bcc459eb8d33ff8922dfa78ca63d89aaf0ca5c1bc23735b4fc518d61e6845e4a9
SSDEEP

6144:NYkLWCTxDrF98Oh8P7AEL8IhoM8InI5SQ8R5NTope6S2DtL9xG9QTKhDxfWqr6z1:NYIW0p98Oh8P7h8EJQ8z8eDe9mJxfWZT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2280	3F13.tmp

Loads dropped DLL 1 IoCs

pid	Process
2368	985d6ab0e9e57850cf7ed9f331ae36a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2808	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	3F13.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2280	2368	985d6ab0e9e57850cf7ed9f331ae36a0N.exe	30
PID 2368 wrote to memory of 2280	2368	985d6ab0e9e57850cf7ed9f331ae36a0N.exe	30
PID 2368 wrote to memory of 2280	2368	985d6ab0e9e57850cf7ed9f331ae36a0N.exe	30
PID 2368 wrote to memory of 2280	2368	985d6ab0e9e57850cf7ed9f331ae36a0N.exe	30
PID 2280 wrote to memory of 2808	2280	3F13.tmp	31
PID 2280 wrote to memory of 2808	2280	3F13.tmp	31
PID 2280 wrote to memory of 2808	2280	3F13.tmp	31
PID 2280 wrote to memory of 2808	2280	3F13.tmp	31

C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe
"C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\3F13.tmp
  "C:\Users\Admin\AppData\Local\Temp\3F13.tmp" --pingC:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe 292C500829E567148921DCD8ED229A58A4D022143EF8952DD3E34A5AD76F857E5E720AB75C9482A532903B915C4092EFDC8BA4778C4DE3680DAC21BDC83C5522
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx

Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
\Users\Admin\AppData\Local\Temp\3F13.tmp

Filesize
539KB

MD5
97f4047d20a637bc6be040b914050d94

SHA1
a962b5eb11280fb94f3c4c22f61682247247ab39

SHA256
58f60746d9a49b8591d9e7319a46c6116bf495a6de94390c673c6b8ae554c11e

SHA512
6e63834362da26d2773e46ed593d3ea8b5cc0bb97397bcc6bcb50be6d379e3b3774a786f75cf3bcbf3ff8fdf5061664c3c5ac21e45b493f0d1f954e1104cec2d

Download Submit
memory/2808-7-0x000000002F661000-0x000000002F662000-memory.dmp

Filesize
4KB

Download
memory/2808-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2808-9-0x000000007106D000-0x0000000071078000-memory.dmp

Filesize
44KB

Download
memory/2808-12-0x000000007106D000-0x0000000071078000-memory.dmp

Filesize
44KB

Download