8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12/12/2023, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe
Size

2.2MB
MD5

5efedeff0f59d9ba656ff89744495529
SHA1

9142a2f38ea4f6fccb9e43aefcd9f548006c24a5
SHA256

8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc
SHA512

8122b278b3dfd9cb17a22b968827ce819faf97de5f595ca51f2dbc1af9308e85bcc0ed86e38b2210275f4078c9e81e36292c5336ffd9fc26046a7557d4cbfe90
SSDEEP

49152:sBuZrEUZrn+SFIDuc6SKIy029s4C1eH9l:ykLZrn5FlIt29s4C1eH9l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp

Loads dropped DLL 1 IoCs

pid	Process
2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3064	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2000 wrote to memory of 2076	2000	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe	28
PID 2076 wrote to memory of 624	2076	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp	29
PID 2076 wrote to memory of 624	2076	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp	29
PID 2076 wrote to memory of 624	2076	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp	29
PID 2076 wrote to memory of 624	2076	8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp	29
PID 624 wrote to memory of 3064	624	cmd.exe	31
PID 624 wrote to memory of 3064	624	cmd.exe	31
PID 624 wrote to memory of 3064	624	cmd.exe	31
PID 624 wrote to memory of 3064	624	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe
"C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\is-NSE9B.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NSE9B.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp" /SL5="$70122,1464243,832512,C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im steam.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-NSE9B.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp

Filesize
3.1MB

MD5
1470aa9da82412a18e393b9fe4246b28

SHA1
ba9d778e88aa3962b1ef6cdcaea32374fbcd8cd6

SHA256
41183b8a7dcbc95f339906cd99ac739d3e0a314f31b3c4b826b0a1b81384d807

SHA512
9e11dc52d19967f7281f7cd782657eb4dc6acfa5c7cf52bb5df0fcb8938fc4112ef0a2619cf89dd2577a0c594abcfe81f5af9c2ceeb1aa8c02fb7f1f65defeb1

Download Submit
memory/2000-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2000-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2076-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2076-11-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download