4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Analysis

max time kernel
430s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20230915-ja
resource tags

arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-10-2023 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NirCMD 2.8.1/Скриншот hl2.exe.bat
Size

941B
MD5

d27cfeabdff3e1dfda4d57473e4b8f0a
SHA1

a9104297d2f43e9165ed0aa30c08c0278ae45052
SHA256

5445407d7ef11995daba416811c2c973a31e57fee778f40a3903199a0675b9cb
SHA512

23f040f038e1854f21b9ee0ea0fa74edf2d096ecf4906be6d308e1017dd7d1bae30797f35b1a0b10da2d22bdc7a08022f5cf39c822600249cbc661e5905f5830

Score

9^/10

upx

Malware Config

Signatures

Nirsoft 3 IoCs

resource	yara_rule
behavioral11/memory/2640-1-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral11/memory/4488-4-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral11/memory/4612-14-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/memory/2640-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral11/memory/2640-1-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral11/memory/4488-4-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral11/memory/4612-14-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral11/memory/4336-20-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2640	4480	cmd.exe	84
PID 4480 wrote to memory of 2640	4480	cmd.exe	84
PID 4480 wrote to memory of 2640	4480	cmd.exe	84
PID 4480 wrote to memory of 3172	4480	cmd.exe	85
PID 4480 wrote to memory of 3172	4480	cmd.exe	85
PID 4480 wrote to memory of 3172	4480	cmd.exe	85
PID 4480 wrote to memory of 1872	4480	cmd.exe	86
PID 4480 wrote to memory of 1872	4480	cmd.exe	86
PID 4480 wrote to memory of 1872	4480	cmd.exe	86
PID 4480 wrote to memory of 4488	4480	cmd.exe	87
PID 4480 wrote to memory of 4488	4480	cmd.exe	87
PID 4480 wrote to memory of 4488	4480	cmd.exe	87
PID 4480 wrote to memory of 3712	4480	cmd.exe	88
PID 4480 wrote to memory of 3712	4480	cmd.exe	88
PID 4480 wrote to memory of 3712	4480	cmd.exe	88
PID 4480 wrote to memory of 3736	4480	cmd.exe	89
PID 4480 wrote to memory of 3736	4480	cmd.exe	89
PID 4480 wrote to memory of 3736	4480	cmd.exe	89
PID 4480 wrote to memory of 3020	4480	cmd.exe	90
PID 4480 wrote to memory of 3020	4480	cmd.exe	90
PID 4480 wrote to memory of 3020	4480	cmd.exe	90
PID 4480 wrote to memory of 1752	4480	cmd.exe	92
PID 4480 wrote to memory of 1752	4480	cmd.exe	92
PID 4480 wrote to memory of 1752	4480	cmd.exe	92
PID 4480 wrote to memory of 4316	4480	cmd.exe	93
PID 4480 wrote to memory of 4316	4480	cmd.exe	93
PID 4480 wrote to memory of 4316	4480	cmd.exe	93
PID 4480 wrote to memory of 1692	4480	cmd.exe	94
PID 4480 wrote to memory of 1692	4480	cmd.exe	94
PID 4480 wrote to memory of 1692	4480	cmd.exe	94
PID 4480 wrote to memory of 2844	4480	cmd.exe	95
PID 4480 wrote to memory of 2844	4480	cmd.exe	95
PID 4480 wrote to memory of 2844	4480	cmd.exe	95
PID 4480 wrote to memory of 3948	4480	cmd.exe	96
PID 4480 wrote to memory of 3948	4480	cmd.exe	96
PID 4480 wrote to memory of 3948	4480	cmd.exe	96
PID 4480 wrote to memory of 4612	4480	cmd.exe	97
PID 4480 wrote to memory of 4612	4480	cmd.exe	97
PID 4480 wrote to memory of 4612	4480	cmd.exe	97
PID 4480 wrote to memory of 3728	4480	cmd.exe	100
PID 4480 wrote to memory of 3728	4480	cmd.exe	100
PID 4480 wrote to memory of 3728	4480	cmd.exe	100
PID 4480 wrote to memory of 4396	4480	cmd.exe	103
PID 4480 wrote to memory of 4396	4480	cmd.exe	103
PID 4480 wrote to memory of 4396	4480	cmd.exe	103
PID 4480 wrote to memory of 4128	4480	cmd.exe	104
PID 4480 wrote to memory of 4128	4480	cmd.exe	104
PID 4480 wrote to memory of 4128	4480	cmd.exe	104
PID 4480 wrote to memory of 4504	4480	cmd.exe	105
PID 4480 wrote to memory of 4504	4480	cmd.exe	105
PID 4480 wrote to memory of 4504	4480	cmd.exe	105
PID 4480 wrote to memory of 1596	4480	cmd.exe	106
PID 4480 wrote to memory of 1596	4480	cmd.exe	106
PID 4480 wrote to memory of 1596	4480	cmd.exe	106
PID 4480 wrote to memory of 4336	4480	cmd.exe	107
PID 4480 wrote to memory of 4336	4480	cmd.exe	107
PID 4480 wrote to memory of 4336	4480	cmd.exe	107
PID 4480 wrote to memory of 3192	4480	cmd.exe	108
PID 4480 wrote to memory of 3192	4480	cmd.exe	108
PID 4480 wrote to memory of 3192	4480	cmd.exe	108
PID 4480 wrote to memory of 4004	4480	cmd.exe	109
PID 4480 wrote to memory of 4004	4480	cmd.exe	109
PID 4480 wrote to memory of 4004	4480	cmd.exe	109
PID 4480 wrote to memory of 2776	4480	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\Скриншот hl2.exe.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win activate title "Counter-Strike Source"
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win settopmost title "Counter-Strike Source" 1
  2⤵
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 25
  2⤵
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt down
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab down
  2⤵
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt up
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab up
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 25
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt down
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab down
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt up
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab up
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor off
  2⤵
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe beep 5000 2000
  2⤵
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey delete press
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey insert press
  2⤵
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 10
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor off
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe savescreenshot "SMIJWJMH#Admin_CSS_Screenshot.jpg"
  2⤵
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 10
  2⤵
  PID:3192
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey insert press
  2⤵
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor on
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win min title "Counter-Strike Source"
  2⤵
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4336-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4488-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4612-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download