b29829f46c16dac1b3b52ee6c92a5a23068f4085f559807a6412f94c20976e63

Analysis

max time kernel
144s
max time network
155s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc48e9287efcecexeexeexeex.exe
Size

101KB
MD5

fc48e9287efcec0dd66ae3404a963080
SHA1

a75d41d23ad5f2cdb36fd1a2d3480a72f025fe60
SHA256

b29829f46c16dac1b3b52ee6c92a5a23068f4085f559807a6412f94c20976e63
SHA512

e46674385b9ce662d0ce27466eb09b73e147993843130fb078c0c26ef3e6093d838df889c592b8d916a155a0fb833dd2085cb803cacfecf7150cbd15378e282b
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6Gkdo:1nK6a+qdOOtEvwDpjx

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1988	fc48e9287efcecexeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000012289-63.dat	upx
behavioral1/memory/1988-66-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x000e000000012289-67.dat	upx
behavioral1/files/0x000e000000012289-75.dat	upx
behavioral1/memory/2296-76-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2296	1988	fc48e9287efcecexeexeexeex.exe	28
PID 1988 wrote to memory of 2296	1988	fc48e9287efcecexeexeexeex.exe	28
PID 1988 wrote to memory of 2296	1988	fc48e9287efcecexeexeexeex.exe	28
PID 1988 wrote to memory of 2296	1988	fc48e9287efcecexeexeexeex.exe	28

C:\Users\Admin\AppData\Local\Temp\fc48e9287efcecexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc48e9287efcecexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
dd47a5cc71d195a19c05548efe944ff9

SHA1
b21c31603370db1efe8b7c3848e617046aef9063

SHA256
ad616175fa33f0859d22e293b12ffe0a933ebfc5637ecd11d61f7ea3941a8dc0

SHA512
53a447371bbbdd1616a82e730b4411191f0c10d2d17864d49898eea746fda9254d60c9d1eb69a26adaee1f8dfa8493bdef6b334be65f49c25ed2af9a2edc98b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
dd47a5cc71d195a19c05548efe944ff9

SHA1
b21c31603370db1efe8b7c3848e617046aef9063

SHA256
ad616175fa33f0859d22e293b12ffe0a933ebfc5637ecd11d61f7ea3941a8dc0

SHA512
53a447371bbbdd1616a82e730b4411191f0c10d2d17864d49898eea746fda9254d60c9d1eb69a26adaee1f8dfa8493bdef6b334be65f49c25ed2af9a2edc98b4

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
dd47a5cc71d195a19c05548efe944ff9

SHA1
b21c31603370db1efe8b7c3848e617046aef9063

SHA256
ad616175fa33f0859d22e293b12ffe0a933ebfc5637ecd11d61f7ea3941a8dc0

SHA512
53a447371bbbdd1616a82e730b4411191f0c10d2d17864d49898eea746fda9254d60c9d1eb69a26adaee1f8dfa8493bdef6b334be65f49c25ed2af9a2edc98b4

Download Submit
memory/1988-54-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1988-55-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1988-66-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2296-69-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2296-76-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download