Overview

overview

7

Static

static

3

a.exe

windows7-x64

7

a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2023, 23:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a.exe

  • Size

    90KB

  • MD5

    be380b0736c5b987396b27623c22c7b9

  • SHA1

    dcba1d1e8b72d6c62ef85adbcda7a05d0f13357d

  • SHA256

    abc95b87d61de2b46805ee9e536aed85af8a62bcdc43661991d550485d0f1752

  • SHA512

    47df3275ad84b9ea08c148695425a4cd45c97945379213bb7c206e36c28ae12c9275869c880e6781b9127847d484fb0c35e1f0045f81edeb2623f1fe535a0c02

  • SSDEEP

    1536:T7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf6xYB0O4:Pq6+ouCpk2mpcWJ0r+QNTBf66Bg

Score
7/10

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 22 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    "C:\Users\Admin\AppData\Local\Temp\a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BAA8.tmp\BAA9.tmp\BAAA.bat C:\Users\Admin\AppData\Local\Temp\a.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\system32\cscript.exe
        cscript CreateShortcut.vbs
        3⤵
        • Drops startup file
        PID:2560
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\Videos\python"
        3⤵
        • Views/modifies file attributes
        PID:2376
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs"
        3⤵
        • Drops startup file
        • Views/modifies file attributes
        PID:2400
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\Videos\python\startup.py"
        3⤵
        • Views/modifies file attributes
        PID:2492
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\Videos\python\python.exe C:\Users\Admin\Videos\python\startup.py
          4⤵
            PID:2056

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\BAA8.tmp\BAA9.tmp\BAAA.bat
            Filesize

            2KB

            MD5

            c05be96260f463759bacbb9174d7f09d

            SHA1

            523cb0711a4e071914ca1cb7e4cee9018b5938d2

            SHA256

            9b532874cbceab6ff2e9e930f9cf1925e4e65905ec3bdb17bd819d128bc8eab2

            SHA512

            5970008392a43cf0562e158bf63596c4411dd862160f8d7aa7a4e64d3c6fdcf0f53057c1988227d5609559e4f8cb7e6d954ba58a479b4aa48d47eb8902a7842b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs
            Filesize

            170B

            MD5

            dc137970088ee88b88261d572e081056

            SHA1

            cabc47c94ec6ac6f3aeb6f54e4ec3877ddc7fe4f

            SHA256

            29df41e8d7e6de01e863d8fa550b4aaea873f16c399c2a8ebeb9e17760be03d4

            SHA512

            9643d37103e311b9481d2443fb4a6f45ea0c9777fe5a39576eeaa184b599ab1721ab07f2a2c37b283206fb0ec6931f0e45a6633fb8e4155de39d3b02c2e1037a

            Download Submit

          • C:\Users\Admin\Videos\python\CreateShortcut.vbs
            Filesize

            324B

            MD5

            3ca6a725ce00962db447b91b04b88e11

            SHA1

            ea8703e007aeede2af5cd8ea4139f51ef48103d9

            SHA256

            b1c322e3fa3afc3fda4c2a825d028d7dfc6bf322fa1a78c56b1c547dcff1aa79

            SHA512

            22290ee3a7d75e51c35b1d187df22be6696604f7522323a02811fda0c8e3bec7f3dc61b6d0c8ff66a9f421f27ea04fecb7c170e43e9c671ac930084fbaabae90

            Download Submit