224acb5f139a1ebf8add7f965c96b47c82e26f10a556e45361d0bc71308417ed

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
Size

356KB
MD5

3cde62c0d1ef60c043ccf1fc3dba7a22
SHA1

c05cc6eca17c0dac2df50368b6e62f0fd3a80c8a
SHA256

224acb5f139a1ebf8add7f965c96b47c82e26f10a556e45361d0bc71308417ed
SHA512

61f5f55ebb671ea2e07158f516ced63c119008e52bf7498e6d0c132cfbca2f648220c4521d0fed0b422b75ef937aa9577bd4d5fa16b0eb79804d569ca2b82cd7
SSDEEP

6144:VuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL0qEks3ih1XGWy:Y6Wq4aaE6KwyF5L0Y2D1PqL0qC3c2t

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	commander.exe
5004	commander.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3496-0-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3496-8-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3496-8-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\commander.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
File opened for modification	C:\Windows\svhost.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4224	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2716	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	86
PID 3496 wrote to memory of 2716	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	86
PID 3496 wrote to memory of 2716	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	86
PID 2716 wrote to memory of 4948	2716	commander.exe	88
PID 2716 wrote to memory of 4948	2716	commander.exe	88
PID 2716 wrote to memory of 4948	2716	commander.exe	88
PID 3496 wrote to memory of 5004	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	89
PID 3496 wrote to memory of 5004	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	89
PID 3496 wrote to memory of 5004	3496	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	89
PID 5004 wrote to memory of 4912	5004	commander.exe	91
PID 5004 wrote to memory of 4912	5004	commander.exe	91
PID 5004 wrote to memory of 4912	5004	commander.exe	91

C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:4948
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:4912

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
e6dabddee3cc5b3c84b2d60074f495fa

SHA1
0b2fa798a50b9301dbd4061fd8384b3cfecf44cd

SHA256
6c605598a0b4e6e885ef8649fc98ee7c22663010f5012e6c74394adf1408d5be

SHA512
0fb8220edef2d391115eb4defe2e67241f8b4ce76ecc3d2b3307d2761f578d1ce7e979132080bd7d5f462262cf9c38fd08cbf9bf6b26ff3b31109a26b3c3ea2c

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
e6dabddee3cc5b3c84b2d60074f495fa

SHA1
0b2fa798a50b9301dbd4061fd8384b3cfecf44cd

SHA256
6c605598a0b4e6e885ef8649fc98ee7c22663010f5012e6c74394adf1408d5be

SHA512
0fb8220edef2d391115eb4defe2e67241f8b4ce76ecc3d2b3307d2761f578d1ce7e979132080bd7d5f462262cf9c38fd08cbf9bf6b26ff3b31109a26b3c3ea2c

Download Submit
memory/3496-0-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3496-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4224-9-0x0000015FB2940000-0x0000015FB2950000-memory.dmp

Filesize
64KB

Download
memory/4224-25-0x0000015FB2A40000-0x0000015FB2A50000-memory.dmp

Filesize
64KB

Download
memory/4224-41-0x0000015FBAD80000-0x0000015FBAD81000-memory.dmp

Filesize
4KB

Download
memory/4224-43-0x0000015FBADB0000-0x0000015FBADB1000-memory.dmp

Filesize
4KB

Download
memory/4224-44-0x0000015FBADB0000-0x0000015FBADB1000-memory.dmp

Filesize
4KB

Download
memory/4224-45-0x0000015FBAEC0000-0x0000015FBAEC1000-memory.dmp

Filesize
4KB

Download