aaf31b2a241706a5f2dc50cb4993da803c60970cc12746eb3ce14ef45a725459

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cb59d12bb69bexeexeexeex.exe
Size

90KB
MD5

a8cb59d12bb69b9dce2d237e43127ad0
SHA1

d6702e55a96793c0037cb2d416836bf0b0b0ba04
SHA256

aaf31b2a241706a5f2dc50cb4993da803c60970cc12746eb3ce14ef45a725459
SHA512

16c86989fdf8521055e4d23667a199a0f8a775f79648039d49c70f355ab309b8f69ff3b14e8cb8ebabc7fcc10b7187dde817af4d8b73c7f4f312e288b3368339
SSDEEP

1536:zj+soPSMOtEvwDpj4ktBl01hJl8QAPM8Ho6cRDjuv4:zCsanOtEvwDpjg

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1272	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
440	a8cb59d12bb69bexeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012260-63.dat	upx
behavioral1/memory/440-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c000000012260-66.dat	upx
behavioral1/files/0x000c000000012260-75.dat	upx
behavioral1/memory/1272-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 1272	440	a8cb59d12bb69bexeexeexeex.exe	28
PID 440 wrote to memory of 1272	440	a8cb59d12bb69bexeexeexeex.exe	28
PID 440 wrote to memory of 1272	440	a8cb59d12bb69bexeexeexeex.exe	28
PID 440 wrote to memory of 1272	440	a8cb59d12bb69bexeexeexeex.exe	28

C:\Users\Admin\AppData\Local\Temp\a8cb59d12bb69bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a8cb59d12bb69bexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
91KB

MD5
b09ee306e8e88328cff2c5a13f10d7a8

SHA1
33399f709d03de69ac69b3b3a93c385651d8d844

SHA256
ea0245f64aaaca703a864621e277a16595987f0b2243b4edbbf704a901826107

SHA512
19346fa48d654577cf67aec75344fa287bcfbebfda3a9ccd2fb3d0a4519104bff1539d5b9c6b310af1ab3c2ce2238b76c9998aed31972498ee809a569c8e8d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
91KB

MD5
b09ee306e8e88328cff2c5a13f10d7a8

SHA1
33399f709d03de69ac69b3b3a93c385651d8d844

SHA256
ea0245f64aaaca703a864621e277a16595987f0b2243b4edbbf704a901826107

SHA512
19346fa48d654577cf67aec75344fa287bcfbebfda3a9ccd2fb3d0a4519104bff1539d5b9c6b310af1ab3c2ce2238b76c9998aed31972498ee809a569c8e8d46

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
91KB

MD5
b09ee306e8e88328cff2c5a13f10d7a8

SHA1
33399f709d03de69ac69b3b3a93c385651d8d844

SHA256
ea0245f64aaaca703a864621e277a16595987f0b2243b4edbbf704a901826107

SHA512
19346fa48d654577cf67aec75344fa287bcfbebfda3a9ccd2fb3d0a4519104bff1539d5b9c6b310af1ab3c2ce2238b76c9998aed31972498ee809a569c8e8d46

Download Submit
memory/440-54-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/440-55-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/440-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1272-69-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1272-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download