72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12-11-2023 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
Size

10.0MB
MD5

858f4c3efd608c3a87d1533791cfbf40
SHA1

1264bc5b1cbc568c5ef2e84a5e4515292273430e
SHA256

72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104
SHA512

03d723ced9f3efdd6dc82368be1a12d5ce853091837a09c6f2767ccb1908d483ec70746745f43195819ed050bfdad7536041888cd9b78aec8022cdcdd6169f73
SSDEEP

196608:Ango4nrdg43DZ3Eu8iUr8OhQfZmROup8gBVtn2j6Cjo3kzXfwQRF2:+SnpgUUuwtwZE8gBqj6Co0IN

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1420	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	28
PID 2120 wrote to memory of 1420	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	28
PID 2120 wrote to memory of 1420	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	28
PID 2120 wrote to memory of 1420	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	28
PID 1420 wrote to memory of 2444	1420	cmd.exe	30
PID 1420 wrote to memory of 2444	1420	cmd.exe	30
PID 1420 wrote to memory of 2444	1420	cmd.exe	30
PID 2120 wrote to memory of 2432	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	31
PID 2120 wrote to memory of 2432	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	31
PID 2120 wrote to memory of 2432	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	31
PID 2120 wrote to memory of 2432	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	31
PID 2432 wrote to memory of 1112	2432	cmd.exe	33
PID 2432 wrote to memory of 1112	2432	cmd.exe	33
PID 2432 wrote to memory of 1112	2432	cmd.exe	33
PID 2120 wrote to memory of 1744	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	34
PID 2120 wrote to memory of 1744	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	34
PID 2120 wrote to memory of 1744	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	34
PID 2120 wrote to memory of 1744	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	34
PID 1744 wrote to memory of 2744	1744	cmd.exe	36
PID 1744 wrote to memory of 2744	1744	cmd.exe	36
PID 1744 wrote to memory of 2744	1744	cmd.exe	36
PID 2120 wrote to memory of 2864	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	37
PID 2120 wrote to memory of 2864	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	37
PID 2120 wrote to memory of 2864	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	37
PID 2120 wrote to memory of 2864	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	37
PID 2864 wrote to memory of 2972	2864	cmd.exe	39
PID 2864 wrote to memory of 2972	2864	cmd.exe	39
PID 2864 wrote to memory of 2972	2864	cmd.exe	39
PID 2120 wrote to memory of 2756	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	40
PID 2120 wrote to memory of 2756	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	40
PID 2120 wrote to memory of 2756	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	40
PID 2120 wrote to memory of 2756	2120	72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe	40
PID 2756 wrote to memory of 2960	2756	cmd.exe	42
PID 2756 wrote to memory of 2960	2756	cmd.exe	42
PID 2756 wrote to memory of 2960	2756	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
"C:\Users\Admin\AppData\Local\Temp\72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\expand.exe
    C:\Windows\system32\expand.exe *.cab /f:* .\
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:1112
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
4KB

MD5
9dfb8febfe7081ca07dd855c7abc58ec

SHA1
0dc30b3acd2ac1718fb386d1328394ddc8d6aec4

SHA256
48ebf5dca48e3d932c8ec2b5f16ea516cdad8a08a002a1ed98d702f93fee4668

SHA512
8097524ea78faa56258514f13f0f9f06957de6c4f7dcf537b198d09a5bb9852b7f570fc2b966d14df42e8eecdc7f609d447fc4ca1db1c4b23be2ed1f64f738b6

Download Submit