b311e6b57eafe373df6dbcace9d3db1441db13fbfb379bc86d7237190ead6ea1

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 08:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5eccd69f44146bexeexeexeex.exe
Size

44KB
MD5

5eccd69f44146b262a564cd6e4d2c950
SHA1

6df549749296c325073c7fe9849f9e954a538d0a
SHA256

b311e6b57eafe373df6dbcace9d3db1441db13fbfb379bc86d7237190ead6ea1
SHA512

d802021aa7cb93ec963687dcf029a75014d8cb2aece1c063905117dd60fbcf4f13136ef9f16e90e5e22423174ababac9ca3690e11aa9e19a6edae149b674d099
SSDEEP

768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5aFr7YOzzfm5oU3tuVCz:qUmnpomddpMOtEvwDpjjaYaFAh5Rz

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	5eccd69f44146bexeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000013a16-63.dat	upx
behavioral1/memory/2072-67-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000e000000013a16-66.dat	upx
behavioral1/files/0x000e000000013a16-75.dat	upx
behavioral1/memory/2372-76-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2372	2072	5eccd69f44146bexeexeexeex.exe	28
PID 2072 wrote to memory of 2372	2072	5eccd69f44146bexeexeexeex.exe	28
PID 2072 wrote to memory of 2372	2072	5eccd69f44146bexeexeexeex.exe	28
PID 2072 wrote to memory of 2372	2072	5eccd69f44146bexeexeexeex.exe	28

C:\Users\Admin\AppData\Local\Temp\5eccd69f44146bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5eccd69f44146bexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
3071fbf19824c1d5efd38e1ecf49aa87

SHA1
6b9cbb041da27fb7681d57dbcc8956dc9765efc8

SHA256
1df3b4af12894681ea2e24580ac20dd5801c6bb2868649fd72cd556148ccf015

SHA512
d13c8cb96e2b43456ca6a7225016bbcc01168d7f54be4b30294c9ad7551490843b717d93d1902434d06bc2702d7d9b35ea9f93e19e88553e5bf0d44988616fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
3071fbf19824c1d5efd38e1ecf49aa87

SHA1
6b9cbb041da27fb7681d57dbcc8956dc9765efc8

SHA256
1df3b4af12894681ea2e24580ac20dd5801c6bb2868649fd72cd556148ccf015

SHA512
d13c8cb96e2b43456ca6a7225016bbcc01168d7f54be4b30294c9ad7551490843b717d93d1902434d06bc2702d7d9b35ea9f93e19e88553e5bf0d44988616fd5

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
3071fbf19824c1d5efd38e1ecf49aa87

SHA1
6b9cbb041da27fb7681d57dbcc8956dc9765efc8

SHA256
1df3b4af12894681ea2e24580ac20dd5801c6bb2868649fd72cd556148ccf015

SHA512
d13c8cb96e2b43456ca6a7225016bbcc01168d7f54be4b30294c9ad7551490843b717d93d1902434d06bc2702d7d9b35ea9f93e19e88553e5bf0d44988616fd5

Download Submit
memory/2072-54-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2072-55-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2072-67-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2372-69-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2372-76-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download