72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe
Size

17KB
MD5

a757131a25d9a2734e84b0568f0bc8b3
SHA1

85ab9eb383102af3b9ff38621586db156d542afb
SHA256

72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14
SHA512

0f5394de9d204b612a8773169bb605a3a1be62201d0543e58baa894d97771bc2cacb778fb9281980d1812b034ac33e4f9e740f09aac6fb0545f70b407b848ef3
SSDEEP

384:QLEVpNydaLiVSihPLTVmf4Dfl7mDEH2nRmA1B/jXRMQcyv:OEVpN92zC48EH2nRPmTyv

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
668	timeout.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2588	1820	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe	28
PID 1820 wrote to memory of 2588	1820	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe	28
PID 1820 wrote to memory of 2588	1820	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe	28
PID 2588 wrote to memory of 2436	2588	cmd.exe	30
PID 2588 wrote to memory of 2436	2588	cmd.exe	30
PID 2588 wrote to memory of 2436	2588	cmd.exe	30
PID 2588 wrote to memory of 668	2588	cmd.exe	31
PID 2588 wrote to memory of 668	2588	cmd.exe	31
PID 2588 wrote to memory of 668	2588	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe
"C:\Users\Admin\AppData\Local\Temp\72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\mode.com
    mode con lines=30 cols=50
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    Timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
1KB

MD5
79355e432cf209a749701dba1ed10a30

SHA1
cb3285b75803545f0a8f2d58d60d9dd7f41a424f

SHA256
ea114527cd19aa26226914b78bc053d27738b9c9c81eb74403572c1e9e086b11

SHA512
c245386293f55be1c90bc21ed16a55a9b95d5a93f90bc3fda2a7b7df2278f0b4884e2dc0569db74705ca27b78bc8aefdd02d9a8b5affd28509734c9987311406

Download Submit
memory/1820-0-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download