171de8e3a4ec581371697e2bfe7f1eb49f3eb9331f054bf57a76e402793b714c

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640d8f42bc765cexeexeexeex.exe
Size

49KB
MD5

640d8f42bc765cbb6310f8565273489d
SHA1

3dd582f3d247677a084cb8f65a27427a1c330808
SHA256

171de8e3a4ec581371697e2bfe7f1eb49f3eb9331f054bf57a76e402793b714c
SHA512

2fdfd7ff4c7063d870258597b372b612d5ab93a912d88d76ce8dd9886cab92eef55b482ffbb27e760dd3c9c06b80d3eb0a916df5161050068f4c5bfdfc48e5cb
SSDEEP

768:zQz7yVEhs9+syJP6ntOOtEvwDpjFelaB7q4:zj+soPSMOtEvwDpj4kT

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2388	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
296	640d8f42bc765cexeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012259-63.dat	upx
behavioral1/memory/296-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c000000012259-66.dat	upx
behavioral1/files/0x000c000000012259-75.dat	upx
behavioral1/memory/2388-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2388	296	640d8f42bc765cexeexeexeex.exe	28
PID 296 wrote to memory of 2388	296	640d8f42bc765cexeexeexeex.exe	28
PID 296 wrote to memory of 2388	296	640d8f42bc765cexeexeexeex.exe	28
PID 296 wrote to memory of 2388	296	640d8f42bc765cexeexeexeex.exe	28

C:\Users\Admin\AppData\Local\Temp\640d8f42bc765cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\640d8f42bc765cexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
49KB

MD5
7ead81e56719a873231a6dfaf8637297

SHA1
e10971a44384aca950659136496085ee69b9982b

SHA256
c4bfa33cf4aefc569738933686105907203869c5d6a2c98e2669025e5c813e7e

SHA512
18c82b27993b237cbb06ac6d677fefd1d7b30b9d08c9d2edc8f6926ff67864f236d89243e4f528eb23754dfdf6b668598f0ffa3476931c58a1c4d7bc87d732e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
49KB

MD5
7ead81e56719a873231a6dfaf8637297

SHA1
e10971a44384aca950659136496085ee69b9982b

SHA256
c4bfa33cf4aefc569738933686105907203869c5d6a2c98e2669025e5c813e7e

SHA512
18c82b27993b237cbb06ac6d677fefd1d7b30b9d08c9d2edc8f6926ff67864f236d89243e4f528eb23754dfdf6b668598f0ffa3476931c58a1c4d7bc87d732e7

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
49KB

MD5
7ead81e56719a873231a6dfaf8637297

SHA1
e10971a44384aca950659136496085ee69b9982b

SHA256
c4bfa33cf4aefc569738933686105907203869c5d6a2c98e2669025e5c813e7e

SHA512
18c82b27993b237cbb06ac6d677fefd1d7b30b9d08c9d2edc8f6926ff67864f236d89243e4f528eb23754dfdf6b668598f0ffa3476931c58a1c4d7bc87d732e7

Download Submit
memory/296-54-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/296-55-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/296-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-69-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2388-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download