Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-11-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe
Resource
win10v2004-20241007-en
General
-
Target
e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe
-
Size
13.1MB
-
MD5
4fd34971f2551e33806360ba5ee86e5e
-
SHA1
a3f2fe7d770d45c0b98bdbdf3322614582e41d59
-
SHA256
e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81
-
SHA512
1c01226cb0a061675a8af6db24dea570881bbd7a2d6c8e21aaf51884bf4b64a2011dcc881507fb0b0a0191f8dc180831833eb175f07d6fdee72ed11748183281
-
SSDEEP
393216:85CCDJlS/FyOUUGafnbRngsndGKLYHSJj:8oCytjGafSsdx4k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2884 RuntimeBrokerVers.exe -
Loads dropped DLL 2 IoCs
pid Process 1964 e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe 2884 RuntimeBrokerVers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2884 1964 e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe 31 PID 1964 wrote to memory of 2884 1964 e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe 31 PID 1964 wrote to memory of 2884 1964 e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe"C:\Users\Admin\AppData\Local\Temp\e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\onefile_1964_133762400104214000\RuntimeBrokerVers.exe"C:\Users\Admin\AppData\Local\Temp\e82fe9ce4fec710c6f02dc3ed738e5a88955d4d938957ec2b49119d5018ecb81.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.1MB
MD5d71750b08d81d33e6bead1ceb707bc4f
SHA1ceb0fe13317e7ef87377d385e9cf869343958971
SHA2566d350fd6d807f267f5b615cf5937dabb99e5f30ed3b3310e1bf2aa2a34f93f8e
SHA5129cdc43bce53cc6b9a388b9fb50bf81db413432beb0b607d14942db6ceddceeb38cbeb9896916bf73a72e06731d16755f20a475523be63177996a3d9bcdd6fa0b
-
Filesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858