20be63cab5e07464e7d5dd6148ccf85dd579d0e7c904671386d4d7111e5d231f

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc8ff6ad874218exeexeexeex.exe
Size

86KB
MD5

fc8ff6ad8742185e322dad2e42c49d94
SHA1

c0ed719d1321dd4523cd5b423b49e7d8d5009237
SHA256

20be63cab5e07464e7d5dd6148ccf85dd579d0e7c904671386d4d7111e5d231f
SHA512

c382b1618f8df8201e3660a8a29bcd69bbc8fbdb893c254b79d01b5cea65262c911416cbc597736a394e6965f22a70e5a7861d992d54262e2c3b2294a722f7a1
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOTFBEa2x0jC:T6a+rdOOtEvwDpjNQ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2288	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
364	fc8ff6ad874218exeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012115-63.dat	upx
behavioral1/memory/364-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c000000012115-66.dat	upx
behavioral1/files/0x000c000000012115-75.dat	upx
behavioral1/memory/2288-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 2288	364	fc8ff6ad874218exeexeexeex.exe	29
PID 364 wrote to memory of 2288	364	fc8ff6ad874218exeexeexeex.exe	29
PID 364 wrote to memory of 2288	364	fc8ff6ad874218exeexeexeex.exe	29
PID 364 wrote to memory of 2288	364	fc8ff6ad874218exeexeexeex.exe	29

C:\Users\Admin\AppData\Local\Temp\fc8ff6ad874218exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc8ff6ad874218exeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
memory/364-54-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/364-55-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/364-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2288-69-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2288-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download