7417c092b97809415e22e0956a66956b508dad8c42c49c627c4f4e777f8dbc50

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe
Size

386KB
MD5

f9bb6ef02f29f52ff126279ff7d044bb
SHA1

5b68f1745d92d32a1e64ef3ace6640c5fbfeb254
SHA256

2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8
SHA512

86a6c71dca30b5a6dc54cdc262318bbae1f16ba5f3e701d6d84adf8ddda265d178ddf7b72753e491a46d4fe043c2b7f9919f1be25a6f4fa0bc72ad193b0ca153
SSDEEP

3072:H1sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5DfS:H1sSmRIt/xhtsOju1DH5NXnIKAc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Svchost.exeSystem32.exe

pid process

2848 Svchost.exe
1812 System32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2848	Svchost.exe
1812	System32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exeSystem32.exe

description	pid	process	target process
PID 2332 wrote to memory of 2848	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	Svchost.exe
PID 2332 wrote to memory of 2848	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	Svchost.exe
PID 2332 wrote to memory of 2848	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	Svchost.exe
PID 2332 wrote to memory of 1812	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	System32.exe
PID 2332 wrote to memory of 1812	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	System32.exe
PID 2332 wrote to memory of 1812	2332	2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe	System32.exe
PID 1812 wrote to memory of 2616	1812	System32.exe	WerFault.exe
PID 1812 wrote to memory of 2616	1812	System32.exe	WerFault.exe
PID 1812 wrote to memory of 2616	1812	System32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe
"C:\Users\Admin\AppData\Local\Temp\2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\ProgramData\Svchost.exe
"C:\ProgramData\Svchost.exe"
2⤵
- Executes dropped EXE
PID:2848

C:\ProgramData\System32.exe
"C:\ProgramData\System32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1812 -s 520
3⤵
PID:2616

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft.Win32.TaskScheduler.dll
Filesize
326KB

MD5
a844ac745a4005fbd3f51d79ff88583c

SHA1
92671774fd4be9781a77d2788a8dddbf8981ead5

SHA256
74fe1a6a1e36be7d893e31bbb4d4bd83bf4b927e715276cd5607982139818ebd

SHA512
5f0734058d9146ffeb552abf443df5097cf134a4737bed499467830e08d97f5d1996c1f1647c5c12289ca4d4209effd480010afebc59d50290d4ca7d45bb41f8

Download Submit
C:\ProgramData\Svchost.exe
Filesize
330KB

MD5
bdd3d30ea4bc94d1240ea75f1aa212eb

SHA1
f994ffb94690263047c5227cc8b65d3ab3345ba7

SHA256
00b7a0f1b18c5dd1f4d469a8c6997198fd7f471e94d6a6ba70d79fd165f44888

SHA512
3a039b360581d7d2204dfff546d08b2a5ec36d78f9572730d9a707fe35925c8451d505fbb19f9c9d9861f3e5aea9ae4b52ae0031e109721d57f55a62b1b691b8

Download Submit
C:\ProgramData\System32.exe
Filesize
51KB

MD5
f52616c47b243f3373248ed2a5f49e1c

SHA1
d601cad06d6ccb0e52dabe8d34ae5f1cfd463000

SHA256
3b24abf5671a93c15eca052fd28555e561dfe625962b2dbe733d7f717467a3a8

SHA512
9435df5be1594667eaa988115b8d712abb0766e0e90330d2fa99ce76cfdc6272cb65a6c922278bb265c8e2127e755f5aadbfa2481ee009f105ff222d12f07cc0

Download Submit
memory/1812-16-0x00000000011A0000-0x00000000011B4000-memory.dmp

Filesize
80KB

Download
memory/1812-18-0x00000000002D0000-0x0000000000328000-memory.dmp

Filesize
352KB

Download
memory/2332-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/2332-20-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x00000000009C0000-0x0000000000A18000-memory.dmp

Filesize
352KB

Download
memory/2848-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download