f04a3187feb6f21921323adece5700f028eb95ef38ea4b6d8de7e866b7bbbf88

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e34e967db92952exeexeexeex.exe
Size

61KB
MD5

e34e967db92952c45582991785e553fe
SHA1

b3dbc18b446bacabd29fac6a3231ea450a4caf1a
SHA256

f04a3187feb6f21921323adece5700f028eb95ef38ea4b6d8de7e866b7bbbf88
SHA512

ade2e953f2db9010dbed9dccf8c7ac0d37504234c0427f1f45b0a71143021d1fa56969e796685f894198d3b49ea515c03c8e9679dbeb7b35798d4b2cefee71a4
SSDEEP

768:zQz7yVEhs9+syJP6ntOOtEvwDpjFelagPXPECuMuE0XHNurGM:zj+soPSMOtEvwDpj4HE9MWsrGM

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	e34e967db92952exeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012263-63.dat	upx
behavioral1/memory/2320-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000a000000012263-66.dat	upx
behavioral1/files/0x000a000000012263-75.dat	upx
behavioral1/memory/1740-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1740	2320	e34e967db92952exeexeexeex.exe	29
PID 2320 wrote to memory of 1740	2320	e34e967db92952exeexeexeex.exe	29
PID 2320 wrote to memory of 1740	2320	e34e967db92952exeexeexeex.exe	29
PID 2320 wrote to memory of 1740	2320	e34e967db92952exeexeexeex.exe	29

C:\Users\Admin\AppData\Local\Temp\e34e967db92952exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e34e967db92952exeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
61KB

MD5
10232483352e6d6b4b082cd5b0cd5bdb

SHA1
025c559fbc1b6a561245866fe9c2fe15ab6d1dc5

SHA256
ae10c4a977f49df3baaf5f8ec8ca6ecec06ff8be54205570be0d001570124433

SHA512
ee46c36adb66698af8b54cfd9d5feee742320fd7995fa603aad83a89f294b5853835b4385e1758bf9a073727ad197e357bed4f6e9df233027bfeac2f20f1be4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
61KB

MD5
10232483352e6d6b4b082cd5b0cd5bdb

SHA1
025c559fbc1b6a561245866fe9c2fe15ab6d1dc5

SHA256
ae10c4a977f49df3baaf5f8ec8ca6ecec06ff8be54205570be0d001570124433

SHA512
ee46c36adb66698af8b54cfd9d5feee742320fd7995fa603aad83a89f294b5853835b4385e1758bf9a073727ad197e357bed4f6e9df233027bfeac2f20f1be4d

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
61KB

MD5
10232483352e6d6b4b082cd5b0cd5bdb

SHA1
025c559fbc1b6a561245866fe9c2fe15ab6d1dc5

SHA256
ae10c4a977f49df3baaf5f8ec8ca6ecec06ff8be54205570be0d001570124433

SHA512
ee46c36adb66698af8b54cfd9d5feee742320fd7995fa603aad83a89f294b5853835b4385e1758bf9a073727ad197e357bed4f6e9df233027bfeac2f20f1be4d

Download Submit
memory/1740-69-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1740-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-55-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2320-54-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2320-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download