83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe
Size

5.5MB
MD5

fed90d20541293b06aa1ca125820fbba
SHA1

f6ac6edc20889f0137717751b4465a4e08756d2e
SHA256

788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed
SHA512

f38a821acc321d5b6beafc9b26e5cf217d70a1da87874ee8cf868fa7b78b24f2a18e9b8f3ac9fe3f3c6db015af9396420239ffcf8ca7eb87c5e3d4905d156381
SSDEEP

98304:XB3nlxIFAEVkXSVzdIczGwFmChHwZE7/xy4:R3w+Sx7I4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe
Token: SeDebugPrivilege	2632	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2632	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2632	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2632	2948	788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe	30
PID 2948 wrote to memory of 2632	2948	788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe	30
PID 2948 wrote to memory of 2632	2948	788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe	30

C:\Users\Admin\AppData\Local\Temp\788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe
"C:\Users\Admin\AppData\Local\Temp\788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
5.5MB

MD5
fed90d20541293b06aa1ca125820fbba

SHA1
f6ac6edc20889f0137717751b4465a4e08756d2e

SHA256
788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed

SHA512
f38a821acc321d5b6beafc9b26e5cf217d70a1da87874ee8cf868fa7b78b24f2a18e9b8f3ac9fe3f3c6db015af9396420239ffcf8ca7eb87c5e3d4905d156381

Download Submit
memory/2632-8-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-10-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-9-0x0000000000B60000-0x00000000010F2000-memory.dmp

Filesize
5.6MB

Download
memory/2632-12-0x000000001ACD0000-0x000000001ACEA000-memory.dmp

Filesize
104KB

Download
memory/2632-13-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x00000000002C0000-0x0000000000852000-memory.dmp

Filesize
5.6MB

Download
memory/2948-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-11-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download