a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 06:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe
Size

6.3MB
MD5

c36cf82ca015ba10374c92e7a05ad09b
SHA1

486fa5709521742297153ce195a379d786d8b54a
SHA256

a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101
SHA512

7da1c7d12c64ab695a0268e1cd9b1fde86bd8ef76e74f9d44c717f8d0f2c6e5dacab9bc88bc07098d3c2666825d6f51d3e51d5425c8daa53ad12838a3cc0d8e5
SSDEEP

49152:sHAL0rqy4fB7tBisZHoOb3TFZPdBA+MIRGK517Kp0DQ9ZzFnQBptZnNs4T3Bet2y:3J1I4fBJHRf5EWD48B/1x1qbBCX7Dc

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	jDkcJ8Ta.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001210d-6.dat	upx
behavioral1/memory/2868-7-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/2868-45-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe
2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	jDkcJ8Ta.exe
2868	jDkcJ8Ta.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2392 wrote to memory of 2868	2392	a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe	28
PID 2868 wrote to memory of 2604	2868	jDkcJ8Ta.exe	29
PID 2868 wrote to memory of 2604	2868	jDkcJ8Ta.exe	29
PID 2868 wrote to memory of 2604	2868	jDkcJ8Ta.exe	29
PID 2868 wrote to memory of 2604	2868	jDkcJ8Ta.exe	29

C:\Users\Admin\AppData\Local\Temp\a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe
"C:\Users\Admin\AppData\Local\Temp\a973c4d0fc1dcbae8cd7084d4a2d506927a3a78cc1a8ff0bfb8543e184de2101.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Public\Downloads\Q8VVodHH\jDkcJ8Ta.exe
  "C:\Users\Public\Downloads\Q8VVodHH\jDkcJ8Ta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\Q8VVodHH\Edge.jpg

Filesize
358KB

MD5
7e935603d4e2018ade112538255db3ab

SHA1
e6df27d495f53dc93374c0bc1eb1cb7d0599e442

SHA256
663fb53fba961773cd58ccd903d476a690d5207fc4e7d069a6418671981ecf4e

SHA512
99a00d7688ba9eabb31cca967c2f0b581bb7971d59ca96a3eb6a041372da27281267b7dc84d3d936f65b0e2247aa253ebd4c413afc5a95cfab6f37ff8365d331

Download Submit
C:\Users\Public\Downloads\Q8VVodHH\edge.xml

Filesize
53KB

MD5
fc8d1e583c97fdbee707332c651b2074

SHA1
37c586f0c5cd93adc67dc61856b33f03f97938d0

SHA256
c3144acb3d474c739a64806de52b7514f945784563af9ee395e2c104f7964c3f

SHA512
46699d0de5e10587250f3fad3454edb4efc92167c026aa19d064d7c002c8a4bd0363013aabba9c467d05e7bfd42dfaa489f72b937d0eaeacaf3aff1a9eab3be4

Download Submit
C:\Users\Public\Downloads\Q8VVodHH\jDkcJ8Ta.dat

Filesize
132KB

MD5
95a6dd529a4c2929e304b6fb6f898e5b

SHA1
b988d01c3176fb61f4ea9159e52d82916efc4295

SHA256
7b13204e0cbd82b9f2a5f63dd1c61d7d7f75415f38eed87f4b1b5231a882561f

SHA512
db5ef3015e404a8b4b9c06c3c51087bb82e2581ee025713a0bbf18de46bd0a0a30e29fc0cb470ceaa077645bd4daef44f6a6dc656f6da524a335b3ed03fb57b2

Download Submit
C:\Users\Public\Downloads\Q8VVodHH\jDkcJ8Ta.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
memory/2868-7-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2868-29-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2868-31-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2868-34-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2868-45-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download