4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Analysis

max time kernel
401s
max time network
417s
platform
windows10-2004_x64
resource
win10v2004-20230915-ja
resource tags

arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-10-2023 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NirCMD 2.8.1/Скриншот ucp.exe.bat
Size

945B
MD5

1da47c1fa8903e1af2cbea2190f32b7a
SHA1

eeb9ad2dac3697bd92b38398ab0c7c320456bb41
SHA256

62ef08bf3ff8ad148db0167cb0c301b154b540e5bd794e01c74d70649dbcc2b2
SHA512

69a0249b0b7f07b4e5178f4f883bccee76ab992310a8dbb98b7168f5d27f0876c7c95c1421e622cd43be61a9438baf8ea60ca9e8e21abe68a6e18c44c197e73c

Score

9^/10

upx

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral12/memory/3144-1-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral12/memory/2812-13-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral12/memory/3144-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral12/memory/3144-1-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral12/memory/2812-13-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3144	2408	cmd.exe	84
PID 2408 wrote to memory of 3144	2408	cmd.exe	84
PID 2408 wrote to memory of 3144	2408	cmd.exe	84
PID 2408 wrote to memory of 2084	2408	cmd.exe	85
PID 2408 wrote to memory of 2084	2408	cmd.exe	85
PID 2408 wrote to memory of 2084	2408	cmd.exe	85
PID 2408 wrote to memory of 1564	2408	cmd.exe	86
PID 2408 wrote to memory of 1564	2408	cmd.exe	86
PID 2408 wrote to memory of 1564	2408	cmd.exe	86
PID 2408 wrote to memory of 3624	2408	cmd.exe	87
PID 2408 wrote to memory of 3624	2408	cmd.exe	87
PID 2408 wrote to memory of 3624	2408	cmd.exe	87
PID 2408 wrote to memory of 3804	2408	cmd.exe	88
PID 2408 wrote to memory of 3804	2408	cmd.exe	88
PID 2408 wrote to memory of 3804	2408	cmd.exe	88
PID 2408 wrote to memory of 1420	2408	cmd.exe	90
PID 2408 wrote to memory of 1420	2408	cmd.exe	90
PID 2408 wrote to memory of 1420	2408	cmd.exe	90
PID 2408 wrote to memory of 2988	2408	cmd.exe	91
PID 2408 wrote to memory of 2988	2408	cmd.exe	91
PID 2408 wrote to memory of 2988	2408	cmd.exe	91
PID 2408 wrote to memory of 4188	2408	cmd.exe	92
PID 2408 wrote to memory of 4188	2408	cmd.exe	92
PID 2408 wrote to memory of 4188	2408	cmd.exe	92
PID 2408 wrote to memory of 2488	2408	cmd.exe	93
PID 2408 wrote to memory of 2488	2408	cmd.exe	93
PID 2408 wrote to memory of 2488	2408	cmd.exe	93
PID 2408 wrote to memory of 5108	2408	cmd.exe	94
PID 2408 wrote to memory of 5108	2408	cmd.exe	94
PID 2408 wrote to memory of 5108	2408	cmd.exe	94
PID 2408 wrote to memory of 1964	2408	cmd.exe	95
PID 2408 wrote to memory of 1964	2408	cmd.exe	95
PID 2408 wrote to memory of 1964	2408	cmd.exe	95
PID 2408 wrote to memory of 2532	2408	cmd.exe	96
PID 2408 wrote to memory of 2532	2408	cmd.exe	96
PID 2408 wrote to memory of 2532	2408	cmd.exe	96
PID 2408 wrote to memory of 2812	2408	cmd.exe	97
PID 2408 wrote to memory of 2812	2408	cmd.exe	97
PID 2408 wrote to memory of 2812	2408	cmd.exe	97
PID 2408 wrote to memory of 4800	2408	cmd.exe	98
PID 2408 wrote to memory of 4800	2408	cmd.exe	98
PID 2408 wrote to memory of 4800	2408	cmd.exe	98
PID 2408 wrote to memory of 4816	2408	cmd.exe	100
PID 2408 wrote to memory of 4816	2408	cmd.exe	100
PID 2408 wrote to memory of 4816	2408	cmd.exe	100
PID 2408 wrote to memory of 4672	2408	cmd.exe	101
PID 2408 wrote to memory of 4672	2408	cmd.exe	101
PID 2408 wrote to memory of 4672	2408	cmd.exe	101
PID 2408 wrote to memory of 1676	2408	cmd.exe	102
PID 2408 wrote to memory of 1676	2408	cmd.exe	102
PID 2408 wrote to memory of 1676	2408	cmd.exe	102
PID 2408 wrote to memory of 336	2408	cmd.exe	103
PID 2408 wrote to memory of 336	2408	cmd.exe	103
PID 2408 wrote to memory of 336	2408	cmd.exe	103
PID 2408 wrote to memory of 4168	2408	cmd.exe	104
PID 2408 wrote to memory of 4168	2408	cmd.exe	104
PID 2408 wrote to memory of 4168	2408	cmd.exe	104
PID 2408 wrote to memory of 4196	2408	cmd.exe	105
PID 2408 wrote to memory of 4196	2408	cmd.exe	105
PID 2408 wrote to memory of 4196	2408	cmd.exe	105
PID 2408 wrote to memory of 3668	2408	cmd.exe	106
PID 2408 wrote to memory of 3668	2408	cmd.exe	106
PID 2408 wrote to memory of 3668	2408	cmd.exe	106
PID 2408 wrote to memory of 3712	2408	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\Скриншот ucp.exe.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win activate title "Counter-Strike Source"
  2⤵
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win settopmost title "Counter-Strike Source" 1
  2⤵
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 25
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt down
  2⤵
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab down
  2⤵
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt up
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab up
  2⤵
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 25
  2⤵
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt down
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab down
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey alt up
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey tab up
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor off
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe beep 5000 2000
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey delete press
  2⤵
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey insert press
  2⤵
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 10
  2⤵
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor off
  2⤵
  PID:336
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe savescreenshot "BQNDLEKG#Admin_CSS-UCP_Screenshot.jpg"
  2⤵
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe wait 10
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe sendkey insert press
  2⤵
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe monitor on
  2⤵
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\NirCMD 2.8.1\nircmd.exe
  nircmd.exe win min title "Counter-Strike Source"
  2⤵
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3144-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3144-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download