3ae4bcc11b731a63c2aea25da7c3ce1441690bfb0659747052a84e224af31a03

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5edd60ef9e47dexeexeexeex.exe
Size

42KB
MD5

d5edd60ef9e47d593761f65ffa533121
SHA1

1931bf0e77f7ba6910feba0d3aac38d3e2678909
SHA256

3ae4bcc11b731a63c2aea25da7c3ce1441690bfb0659747052a84e224af31a03
SHA512

e6c4abcb257792fc942adb03ddd64f751e5a892f3c50cef0b50681c2e9d882c832954b934b894936e99977543330309377aac03a0145f83fc957564bd8445fa4
SSDEEP

768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5aFr7YOzzOQjCMOXdp:qUmnpomddpMOtEvwDpjjaYaFAetip

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1544	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	d5edd60ef9e47dexeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225d-63.dat	upx
behavioral1/memory/2268-67-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000b00000001225d-66.dat	upx
behavioral1/files/0x000b00000001225d-75.dat	upx
behavioral1/memory/1544-76-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1544	2268	d5edd60ef9e47dexeexeexeex.exe	29
PID 2268 wrote to memory of 1544	2268	d5edd60ef9e47dexeexeexeex.exe	29
PID 2268 wrote to memory of 1544	2268	d5edd60ef9e47dexeexeexeex.exe	29
PID 2268 wrote to memory of 1544	2268	d5edd60ef9e47dexeexeexeex.exe	29

C:\Users\Admin\AppData\Local\Temp\d5edd60ef9e47dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d5edd60ef9e47dexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
c3ae44e429517c73a7adc987eb0aa80c

SHA1
bd836d1d1af773b5355f3213c8c35da65b9851a8

SHA256
cc38bbf3f6d7a8380fa086fa40ade9aa4cb20238250bedcd77635aa6490498eb

SHA512
386e92434c0b283ed207bbb96e6613f443a5f403c096e5fbfff4be73a4529c4cad774934db021065054f700e210aa3e6d6c94f503ea14a3f04e8746ded6fc24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
c3ae44e429517c73a7adc987eb0aa80c

SHA1
bd836d1d1af773b5355f3213c8c35da65b9851a8

SHA256
cc38bbf3f6d7a8380fa086fa40ade9aa4cb20238250bedcd77635aa6490498eb

SHA512
386e92434c0b283ed207bbb96e6613f443a5f403c096e5fbfff4be73a4529c4cad774934db021065054f700e210aa3e6d6c94f503ea14a3f04e8746ded6fc24e

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
c3ae44e429517c73a7adc987eb0aa80c

SHA1
bd836d1d1af773b5355f3213c8c35da65b9851a8

SHA256
cc38bbf3f6d7a8380fa086fa40ade9aa4cb20238250bedcd77635aa6490498eb

SHA512
386e92434c0b283ed207bbb96e6613f443a5f403c096e5fbfff4be73a4529c4cad774934db021065054f700e210aa3e6d6c94f503ea14a3f04e8746ded6fc24e

Download Submit
memory/1544-69-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1544-76-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2268-54-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2268-55-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2268-67-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download