4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

Resubmissions

07/07/2023, 09:59

230707-lz275sgc54 10

Analysis

max time kernel
4s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14052163e50c197697c64b1431b42271.exe
Size

17.6MB
MD5

14052163e50c197697c64b1431b42271
SHA1

df301332faa73c3d5f915fde61df2fc9de21a61a
SHA256

4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778
SHA512

124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab
SSDEEP

393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	EmbraTor Mac Smash Bullet.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	14052163e50c197697c64b1431b42271.exe
1644	14052163e50c197697c64b1431b42271.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2296	1644	14052163e50c197697c64b1431b42271.exe	28
PID 1644 wrote to memory of 2296	1644	14052163e50c197697c64b1431b42271.exe	28
PID 1644 wrote to memory of 2296	1644	14052163e50c197697c64b1431b42271.exe	28
PID 1644 wrote to memory of 2296	1644	14052163e50c197697c64b1431b42271.exe	28
PID 1644 wrote to memory of 2340	1644	14052163e50c197697c64b1431b42271.exe	29
PID 1644 wrote to memory of 2340	1644	14052163e50c197697c64b1431b42271.exe	29
PID 1644 wrote to memory of 2340	1644	14052163e50c197697c64b1431b42271.exe	29
PID 1644 wrote to memory of 2340	1644	14052163e50c197697c64b1431b42271.exe	29
PID 1644 wrote to memory of 108	1644	14052163e50c197697c64b1431b42271.exe	30
PID 1644 wrote to memory of 108	1644	14052163e50c197697c64b1431b42271.exe	30
PID 1644 wrote to memory of 108	1644	14052163e50c197697c64b1431b42271.exe	30
PID 1644 wrote to memory of 108	1644	14052163e50c197697c64b1431b42271.exe	30
PID 1644 wrote to memory of 1704	1644	14052163e50c197697c64b1431b42271.exe	31
PID 1644 wrote to memory of 1704	1644	14052163e50c197697c64b1431b42271.exe	31
PID 1644 wrote to memory of 1704	1644	14052163e50c197697c64b1431b42271.exe	31
PID 1644 wrote to memory of 1704	1644	14052163e50c197697c64b1431b42271.exe	31
PID 108 wrote to memory of 2916	108	WScript.exe	33
PID 108 wrote to memory of 2916	108	WScript.exe	33
PID 108 wrote to memory of 2916	108	WScript.exe	33
PID 108 wrote to memory of 2916	108	WScript.exe	33
PID 1644 wrote to memory of 2900	1644	14052163e50c197697c64b1431b42271.exe	34
PID 1644 wrote to memory of 2900	1644	14052163e50c197697c64b1431b42271.exe	34
PID 1644 wrote to memory of 2900	1644	14052163e50c197697c64b1431b42271.exe	34
PID 1644 wrote to memory of 2900	1644	14052163e50c197697c64b1431b42271.exe	34

C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b1431b42271.exe
"C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b1431b42271.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.JS"
    3⤵
    PID:1752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MsMpEng.js"
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    "C:\Users\Admin\AppData\Local\Temp\x.exe"
    3⤵
    PID:2864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    PID:2916
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Java Install.jar"
  2⤵
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe
  "C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe"
  2⤵
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS

Filesize
713KB

MD5
c958a31d5e439d5b0d01900e5a85992a

SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6

SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe

Filesize
1012KB

MD5
5d57e6b8aff1ec900f553789f6796648

SHA1
f9a953cfe6decb237ed98c30faabec8654d99171

SHA256
3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

SHA512
d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe

Filesize
1012KB

MD5
5d57e6b8aff1ec900f553789f6796648

SHA1
f9a953cfe6decb237ed98c30faabec8654d99171

SHA256
3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

SHA512
d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Install.jar

Filesize
92KB

MD5
c55f9247eb8ea19af96292f0893f86b5

SHA1
bd5e6884b8151114af7e45a92525893f4d2aaabd

SHA256
16ed7004aa68efab0eda75b3f9bff11508365a4224ef859c91f93029bc441284

SHA512
3efab4ee9e3c9d81efd4e2f164c0a2ae72f688cbd0068cc44a063bf4787ba65b8d2a644ac2f7704fbd059d0ba96665aeff46c2bfba820fb42df06eea7e87ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMpEng.js

Filesize
24.2MB

MD5
690d57b0d8670391bad0876cae078bab

SHA1
32bea01d606128c606b71e19920099c6cb15030f

SHA256
b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458

SHA512
dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs

Filesize
984B

MD5
df00d1e54f85ae90f2f69b73a34c90f4

SHA1
1d3e521a8efc17334f4f578432d5af0bb1ef1951

SHA256
2c5907389d374ed9efb86194a7f0f954349c93a7bc67b99c3d6b59bfc0d8296c

SHA512
5636973f61dd7cce413049f246b5ede00c736f4ac333508a2176b65524327080e17ac97260cbe908fc2d0b18235ee6d7f7a74c808a7ceaddb9ee6518452fa618

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
18.1MB

MD5
efcd72ad2d3430248a68e5f960ed5e2b

SHA1
58cc7d2732f401b99926211c0dab319dfc0bba1a

SHA256
41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

SHA512
d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
11.6MB

MD5
27908e48f442ddb940ad285766adc34d

SHA1
219ddd28da9b0a703afd05a7255a4d6117776996

SHA256
6fc4a049fe41ac92cd4cb83c635893b95ab95625bb02f3010ebe07a50dbf6ccf

SHA512
47a4709810b88f6c3a37e8f03111e65c35f12e38b1bc09fbfc324752c7bc4bdb1bafee46cabea7e1ab0421ef3da2c64987a30ff5499a0297fdb1b9f587571f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.JS

Filesize
713KB

MD5
c958a31d5e439d5b0d01900e5a85992a

SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6

SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS

Filesize
713KB

MD5
c958a31d5e439d5b0d01900e5a85992a

SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6

SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS

Filesize
713KB

MD5
c958a31d5e439d5b0d01900e5a85992a

SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6

SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

Download Submit
\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe

Filesize
1012KB

MD5
5d57e6b8aff1ec900f553789f6796648

SHA1
f9a953cfe6decb237ed98c30faabec8654d99171

SHA256
3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

SHA512
d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

Download Submit
\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe

Filesize
1012KB

MD5
5d57e6b8aff1ec900f553789f6796648

SHA1
f9a953cfe6decb237ed98c30faabec8654d99171

SHA256
3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

SHA512
d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

Download Submit
\Users\Admin\AppData\Local\Temp\x.exe

Filesize
18.1MB

MD5
efcd72ad2d3430248a68e5f960ed5e2b

SHA1
58cc7d2732f401b99926211c0dab319dfc0bba1a

SHA256
41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

SHA512
d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

Download Submit
memory/1704-101-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2916-86-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2916-96-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download