486b43592b175081fe3ca5e1bad2be4338285bffaf3d3c4a496b8aa87ae81d62

Analysis

max time kernel
134s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CloudDeviceATDLss.exe
Size

683KB
MD5

4e41ef79db3a3e90c60cff647c69a920
SHA1

61f01719de0c0fdbbcb0583d51ccf1559ccb0aa8
SHA256

486b43592b175081fe3ca5e1bad2be4338285bffaf3d3c4a496b8aa87ae81d62
SHA512

3c4caea7fe4654ae6b807e73511e2674374039e9f3d604d1ab7c58e1546efd6da5cce3bd14326e298af6fbfb273a5aaa9fa1335d22c8d806866ac16c9c1aaa6e
SSDEEP

6144:ktZEjNbRVNV6wdq5jE1p8S8kYadmkE8Xr4gp0iptw3NnbtB+8Xr4gp0i8tw3cnd:JDLdzXkgCwti3bXkgCVtr

Score

1^/10

Malware Config

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1880	dw20.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2024	2032	CloudDeviceATDLss.exe	28
PID 2032 wrote to memory of 2024	2032	CloudDeviceATDLss.exe	28
PID 2032 wrote to memory of 2024	2032	CloudDeviceATDLss.exe	28
PID 2032 wrote to memory of 2024	2032	CloudDeviceATDLss.exe	28
PID 2024 wrote to memory of 1452	2024	csc.exe	30
PID 2024 wrote to memory of 1452	2024	csc.exe	30
PID 2024 wrote to memory of 1452	2024	csc.exe	30
PID 2024 wrote to memory of 1452	2024	csc.exe	30
PID 2032 wrote to memory of 472	2032	CloudDeviceATDLss.exe	31
PID 2032 wrote to memory of 472	2032	CloudDeviceATDLss.exe	31
PID 2032 wrote to memory of 472	2032	CloudDeviceATDLss.exe	31
PID 2032 wrote to memory of 472	2032	CloudDeviceATDLss.exe	31
PID 472 wrote to memory of 840	472	csc.exe	33
PID 472 wrote to memory of 840	472	csc.exe	33
PID 472 wrote to memory of 840	472	csc.exe	33
PID 472 wrote to memory of 840	472	csc.exe	33
PID 2032 wrote to memory of 1880	2032	CloudDeviceATDLss.exe	34
PID 2032 wrote to memory of 1880	2032	CloudDeviceATDLss.exe	34
PID 2032 wrote to memory of 1880	2032	CloudDeviceATDLss.exe	34
PID 2032 wrote to memory of 1880	2032	CloudDeviceATDLss.exe	34

C:\Users\Admin\AppData\Local\Temp\CloudDeviceATDLss.exe
"C:\Users\Admin\AppData\Local\Temp\CloudDeviceATDLss.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jy-gvwtz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES466.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC465.tmp"
    3⤵
    PID:1452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\teycnms2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC88A.tmp"
    3⤵
    PID:840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 816
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES466.tmp

Filesize
1KB

MD5
45eb7ffc80c6e7d1cccf6fae1028e262

SHA1
b152dfee41f0cc2880a9d88eb6622333ffbd118a

SHA256
140785366168f13f96f1fe456f311b07e92d6ed1812369dbb9fda3fdfe8c5700

SHA512
dd2fd68a94c65f3c71bcc209bf8da3e21726b817c030485a13ef799a44c63fe0d418c81493ed20005f26a835c0533f2b13fa2e0608760873100ba49cecea28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88B.tmp

Filesize
1KB

MD5
eeef9fdf13cf586e18ec83457aed954c

SHA1
21eba599df4b46bb24ef3f7a5c5e350888438e5b

SHA256
7606a01c98dfe2b28b6f74829eee9724e8a23f71cd105f818f9a33692b6581d6

SHA512
15b8f1edc79c28f64fc05a3c7fd020cbc306c5c9b14fddd55faa44b633d638ac1a03810e74495a2f3a01034b5ac00fde5bfe4be56f4923db2cdaec3cba1402b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jy-gvwtz.dll

Filesize
576KB

MD5
33aa0645bee08c4d494bd3c26c888a59

SHA1
8c13d2d19e10430f3813e02fa0766d7727a5bf10

SHA256
066b9af08692e32fe3120cfaba712eabb6bf44d825d17b2312fe49f7ab9ad305

SHA512
c07dae13647e7a2d56711a1d28007e543d51b3069f0ff19877337044f37b11e1cbf32b0463dc5ac8ed46b74f71f104eaa7213a08816c0e66907a5687da21211d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teycnms2.dll

Filesize
88KB

MD5
2ed0abdf977ed4c4529f004faf9e9981

SHA1
ee5b2a73844fbc5e7486226c589be3727d6d2307

SHA256
8e310e5a01d5c54d93a7f6ab3ae49bcec69ac8d051c7dbe7b4b0d70ec516cbba

SHA512
a0fc93e45285d457a52509794dd6f81e2bad4601e9dfa9e98e6dbb7211318fdc4038e2d1965e0268f4829e480ff1453fc6a1c6abb520a5c9a1b23d95d78f34ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC465.tmp

Filesize
652B

MD5
4cfbca653f64decd54b43f23c2160eb5

SHA1
a1eb6c9239f95d2cbb6ea9ce04ff086fa37f4eaa

SHA256
c7ecfa2f20fc11752c5c438b10a984c9cb22e3ec1f18623bcd6feda8753a297b

SHA512
690740e799bedef3b58ae6b30f298aae288abf0a62533648d39ab61efb19e0e2d2459e2fed0dad18c0f880ffb6ece0b0b830223792c52a18a90d0f97bacfb218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC88A.tmp

Filesize
652B

MD5
dfd4dcbc6ee27d9aaf0c36cce56abdbe

SHA1
01a8c6e08e023efc289644452015c7b505493578

SHA256
d39d60039c8e2c1800798420e11d2203f2c6532c1c7c12e90571bbae844f2c69

SHA512
98c6ad932eeddceb60fbb7002fdd8dad9e15c481fdbf0d5db9911a58d81a564bacf512b04702f1d41a4d93031ae6c7e4a7366745a7b1087e8ca67a93277accd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jy-gvwtz.0.cs

Filesize
1.3MB

MD5
2333951c6abeb2e72488422e878af6c9

SHA1
00a7d8be0f9faed35922eb6b11c7e4c90727fdc6

SHA256
1005292695d2f6abc8d2afc8c0bed9f5183b433e1eab2646dd666920e0692462

SHA512
20a5300fe02f2963cf863a5ad4beba6d1e7201c53fd0d39351dbae01bdd0d30a64694ca82b8f64e4192e72cdfd02875afa87bbc44a474b28b3feb5d25be51eac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jy-gvwtz.cmdline

Filesize
676B

MD5
fabf522c2b6e3bb01540216ec71755b6

SHA1
b41a288c87909bbc3648dc8987afbda0699368b0

SHA256
5aa448a81650001fe90bbe42b36d436ee48803e78da253b34ce85ca7ba57f3df

SHA512
937412757966753b51428a6407c998ec5991de207b1ddbd4765d82449510e7725c91321a4ca80a3205fc6481c769e265be1d86d7dfb59c5a4230ee11bafd9f1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\teycnms2.0.cs

Filesize
164KB

MD5
107d41022309883ad1ce3b7576464197

SHA1
82cd3c19ff798d2c23afbf4eb4b862595b522822

SHA256
a6e68ab3dbdfe89a6cbd4ded8132ebdd6cf8af8e514ba09547880b9d336bd50d

SHA512
bbe510fd5ebc29a01a7e3863f1211cf3ce3aff2abe1e323e501c8f2dcf717ea5ca9726ea483b2b43ebad9b451cf96b2f03530fdade5b0193735997027aad063d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\teycnms2.cmdline

Filesize
676B

MD5
68aef6d3765233322067eae210111fc6

SHA1
30c1c0cc02055bc96c5fe9f7a98d4bf6a49461a6

SHA256
a2126630199c58a4bb0e89e6727a429066eacaf9883a40819009f4ec47a21f10

SHA512
7ad73446f2307caef4a59556168b5fbeddd280c97516c9378fb65f707d42942dc20d1f7142e689cc51ce52093bef0b03df6a63d7e6d9656d4cf5c39a4159ae73

Download Submit
memory/1880-82-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2032-54-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2032-81-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2032-83-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2032-84-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads