cb3c3b83fe8214014bdd9ca1c20fdbe0e26c4a614aecfd61592fd70a25beda71

Analysis

max time kernel
26s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/03/2023, 02:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c797456ac72ba3d069a233613671b05.exe
Size

681KB
MD5

3c797456ac72ba3d069a233613671b05
SHA1

db2656862b760d7fae103a1fbbf456b7107b5f1c
SHA256

cb3c3b83fe8214014bdd9ca1c20fdbe0e26c4a614aecfd61592fd70a25beda71
SHA512

24471ab4dbb4dac2049be5fd8c8231a60a38496cbeeb58a703e8cf1f592ebba97e3f48f45de41dfcbb47b240b3a7904b1bed3b75dfb80321b286faa856866ef7
SSDEEP

12288:xOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiO4ucUFIHQlUvW4drQp/m38t:xq5TfcdHj4fmbDUZQBY8t

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
876	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1632-61-0x00000000013B0000-0x0000000001532000-memory.dmp	upx
behavioral1/memory/1632-62-0x00000000013B0000-0x0000000001532000-memory.dmp	upx
behavioral1/memory/1632-63-0x00000000013B0000-0x0000000001532000-memory.dmp	upx
behavioral1/memory/1632-72-0x00000000013B0000-0x0000000001532000-memory.dmp	upx

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1632-61-0x00000000013B0000-0x0000000001532000-memory.dmp	autoit_exe
behavioral1/memory/1632-62-0x00000000013B0000-0x0000000001532000-memory.dmp	autoit_exe
behavioral1/memory/1632-63-0x00000000013B0000-0x0000000001532000-memory.dmp	autoit_exe
behavioral1/memory/1632-72-0x00000000013B0000-0x0000000001532000-memory.dmp	autoit_exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1552	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	3c797456ac72ba3d069a233613671b05.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	3c797456ac72ba3d069a233613671b05.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 876	1632	3c797456ac72ba3d069a233613671b05.exe	29
PID 1632 wrote to memory of 876	1632	3c797456ac72ba3d069a233613671b05.exe	29
PID 1632 wrote to memory of 876	1632	3c797456ac72ba3d069a233613671b05.exe	29
PID 1632 wrote to memory of 876	1632	3c797456ac72ba3d069a233613671b05.exe	29
PID 876 wrote to memory of 1552	876	cmd.exe	31
PID 876 wrote to memory of 1552	876	cmd.exe	31
PID 876 wrote to memory of 1552	876	cmd.exe	31
PID 876 wrote to memory of 1552	876	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\3c797456ac72ba3d069a233613671b05.exe
"C:\Users\Admin\AppData\Local\Temp\3c797456ac72ba3d069a233613671b05.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 0 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scratch.bat

Filesize
260B

MD5
d66ce32e8c1369c43eff6c5d30825770

SHA1
e71327e7cc7086bae5fc0f065c6e505fec5b7d2e

SHA256
08e35289cbcd304ba58ee1ddef62697a50651a176600b4c46a3f4ef297f4b9b7

SHA512
2b2e3e36f8f544dbae4b4c90cd755de6fc1a125834a11b3beeb7d0412a3a87ea0f94cc5170c543932523ccd1b8b2fe148d4086cad866d6bdcffb69c465e50f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\scratch.bat

Filesize
260B

MD5
d66ce32e8c1369c43eff6c5d30825770

SHA1
e71327e7cc7086bae5fc0f065c6e505fec5b7d2e

SHA256
08e35289cbcd304ba58ee1ddef62697a50651a176600b4c46a3f4ef297f4b9b7

SHA512
2b2e3e36f8f544dbae4b4c90cd755de6fc1a125834a11b3beeb7d0412a3a87ea0f94cc5170c543932523ccd1b8b2fe148d4086cad866d6bdcffb69c465e50f58

Download Submit
memory/1632-61-0x00000000013B0000-0x0000000001532000-memory.dmp

Filesize
1.5MB

Download
memory/1632-62-0x00000000013B0000-0x0000000001532000-memory.dmp

Filesize
1.5MB

Download
memory/1632-63-0x00000000013B0000-0x0000000001532000-memory.dmp

Filesize
1.5MB

Download
memory/1632-72-0x00000000013B0000-0x0000000001532000-memory.dmp

Filesize
1.5MB

Download