851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe
Size

3.2MB
MD5

3301ff483aa0af87297becd663758204
SHA1

b544210302e12bc4a4da03aa58981e2a6b100015
SHA256

851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073
SHA512

34045a37b0ac76726e391877bf19d0504f4b1e2e4cee473f98310f1704b6ebbb8e958fe0ccb9952b54fd1bc772aadd0f65022478400f313b6d44bdf4fc8006cf
SSDEEP

98304:KjJzUuim6ib4WraIox9XcJ6a1wyM4PM46OMIP:KjVWIox9XcJ6aLM4J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1324	AutoCN.exe
2108	StartAllBackCfg.exe

Loads dropped DLL 1 IoCs

pid	Process
2732	851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000015db6-127.dat	autoit_exe
behavioral1/files/0x0006000000015db6-129.dat	autoit_exe
behavioral1/files/0x0006000000015db6-130.dat	autoit_exe
behavioral1/files/0x0006000000015db6-131.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe
1324	AutoCN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1324	2732	851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe	28
PID 2732 wrote to memory of 1324	2732	851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe	28
PID 2732 wrote to memory of 1324	2732	851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe	28

C:\Users\Admin\AppData\Local\Temp\851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe
"C:\Users\Admin\AppData\Local\Temp\851954a652624b74669b3d419a478549a9f20e911fee602e856e1f8107b32073.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe
    StartAllBackCfg.exe /install
    3⤵
    - Executes dropped EXE
    PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe

Filesize
962KB

MD5
36a0183f4d1ee906ee793965b6072503

SHA1
1df5ae8cd982951062ebbd5e7ca2dd9eac490e37

SHA256
463054c90be83c2b4fd5e8c4ba93090175d7accf658cd864c8347c61dbee6d6c

SHA512
80b27c6a1d84253b3eae017c4b54a7964473833589b720396cdf62fa7cc1143285d3914fd452e7ecaa3accae0073e873e4c529f1ba281abefd6f924de65106af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe

Filesize
962KB

MD5
36a0183f4d1ee906ee793965b6072503

SHA1
1df5ae8cd982951062ebbd5e7ca2dd9eac490e37

SHA256
463054c90be83c2b4fd5e8c4ba93090175d7accf658cd864c8347c61dbee6d6c

SHA512
80b27c6a1d84253b3eae017c4b54a7964473833589b720396cdf62fa7cc1143285d3914fd452e7ecaa3accae0073e873e4c529f1ba281abefd6f924de65106af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe

Filesize
962KB

MD5
36a0183f4d1ee906ee793965b6072503

SHA1
1df5ae8cd982951062ebbd5e7ca2dd9eac490e37

SHA256
463054c90be83c2b4fd5e8c4ba93090175d7accf658cd864c8347c61dbee6d6c

SHA512
80b27c6a1d84253b3eae017c4b54a7964473833589b720396cdf62fa7cc1143285d3914fd452e7ecaa3accae0073e873e4c529f1ba281abefd6f924de65106af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe

Filesize
3.2MB

MD5
e587d820e3c12c6c5072a13644312d9b

SHA1
40fe41de4ddf6705a5b70df0d8bdc4e414767486

SHA256
311a64d01ba5bf80b848578b7e67b3f98366e524254fce227692a4530d7ffbc0

SHA512
e02c0465b2a76c34ca696c39278699d8b10ee2f9d89cd746659efd98a09c14e7471e98c1612554920fb1dae4dd0e160b769e29b99a5675fa06e420e737bf4338

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AutoCN.exe

Filesize
962KB

MD5
36a0183f4d1ee906ee793965b6072503

SHA1
1df5ae8cd982951062ebbd5e7ca2dd9eac490e37

SHA256
463054c90be83c2b4fd5e8c4ba93090175d7accf658cd864c8347c61dbee6d6c

SHA512
80b27c6a1d84253b3eae017c4b54a7964473833589b720396cdf62fa7cc1143285d3914fd452e7ecaa3accae0073e873e4c529f1ba281abefd6f924de65106af

Download Submit