Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 13:46
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
General
-
Target
tmp.exe
-
Size
5.9MB
-
MD5
ff03cb1d0fddde80c681ae5fe7ea2119
-
SHA1
5f8a72a358608c1e650c4196ae3d9ffe498b1087
-
SHA256
1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13
-
SHA512
0137c3ad8e8f5f72a4cda693b7a43e94d8941c2c2cdff79d0da5b6e310bba7edb7ea04a333fca4d233a92ede731e870a2bcee8f2663b8b69d49d95454d983902
-
SSDEEP
98304:yHZt5ZGYRjCQuTGOkb9uj5PPY3KuG7GJ9TYKdnSYL2wqcKCBYHDRJ/2LSH:Itl8TZP5oKuG7GJGKddL2wZdW1JDH
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2712 XRJNZC.exe 1528 XRJNZC.exe 436 XRJNZC.exe -
Loads dropped DLL 1 IoCs
pid Process 2780 cmd.exe -
resource yara_rule behavioral1/memory/760-3-0x0000000001180000-0x0000000001C9B000-memory.dmp vmprotect behavioral1/memory/760-36-0x0000000001180000-0x0000000001C9B000-memory.dmp vmprotect behavioral1/memory/760-49-0x0000000001180000-0x0000000001C9B000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-51.dat vmprotect behavioral1/files/0x0008000000012281-52.dat vmprotect behavioral1/files/0x0008000000012281-50.dat vmprotect behavioral1/memory/2712-55-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/memory/2712-58-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/memory/2712-92-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-93.dat vmprotect behavioral1/memory/1528-95-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/memory/1528-132-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-133.dat vmprotect behavioral1/memory/436-134-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect behavioral1/memory/436-172-0x0000000001380000-0x0000000001E9B000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 588 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2584 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 760 tmp.exe 2712 XRJNZC.exe 1528 XRJNZC.exe 436 XRJNZC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 760 wrote to memory of 2780 760 tmp.exe 28 PID 760 wrote to memory of 2780 760 tmp.exe 28 PID 760 wrote to memory of 2780 760 tmp.exe 28 PID 760 wrote to memory of 2780 760 tmp.exe 28 PID 2780 wrote to memory of 2584 2780 cmd.exe 30 PID 2780 wrote to memory of 2584 2780 cmd.exe 30 PID 2780 wrote to memory of 2584 2780 cmd.exe 30 PID 2780 wrote to memory of 2584 2780 cmd.exe 30 PID 2780 wrote to memory of 2712 2780 cmd.exe 31 PID 2780 wrote to memory of 2712 2780 cmd.exe 31 PID 2780 wrote to memory of 2712 2780 cmd.exe 31 PID 2780 wrote to memory of 2712 2780 cmd.exe 31 PID 2712 wrote to memory of 588 2712 XRJNZC.exe 33 PID 2712 wrote to memory of 588 2712 XRJNZC.exe 33 PID 2712 wrote to memory of 588 2712 XRJNZC.exe 33 PID 2712 wrote to memory of 588 2712 XRJNZC.exe 33 PID 2608 wrote to memory of 1528 2608 taskeng.exe 37 PID 2608 wrote to memory of 1528 2608 taskeng.exe 37 PID 2608 wrote to memory of 1528 2608 taskeng.exe 37 PID 2608 wrote to memory of 1528 2608 taskeng.exe 37 PID 2608 wrote to memory of 436 2608 taskeng.exe 38 PID 2608 wrote to memory of 436 2608 taskeng.exe 38 PID 2608 wrote to memory of 436 2608 taskeng.exe 38 PID 2608 wrote to memory of 436 2608 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sl4.0.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2584
-
-
C:\ProgramData\pinterests\XRJNZC.exe"C:\ProgramData\pinterests\XRJNZC.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f4⤵
- Creates scheduled task(s)
PID:588
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {20E2DDCF-EC3B-4C66-8EA5-B2B84678E8D3} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD560d425143796a0b56290deb6ff0c1c83
SHA1142131de4c873368a78a9e011f230612bd81f735
SHA256cd8448e47f9eb29671ff69b93109f716930b7f64e51ab1edc83352693c2626dc
SHA512da6196f8960f5875764083c5cfc94545636b651dd4f2019547d02f8f5551e7b2d54837fbb019f3120120b62aeb8bfa17374b1e17c487cf5bf9cc4c8362546d86
-
Filesize
334KB
MD583ccf7576abc90dd1ec49418ecf65e1b
SHA1908665d8280efec426068c04bd96f1fe13362e0f
SHA2566cc7b5136c0d57b63951ed53fe0a724fe8767b3260b8e85c72f0f598fac958c5
SHA512b63feb7ded67ceddc593368105c087905944c838cab0c769237d4c60324b313d6b6a74dc294ab6988187265aefad8dc26e1fb570d270253f2929e56b64137fb6
-
Filesize
198KB
MD5c94e002ad8ef0791887fd52dc9d9175e
SHA183c2ba2fe6c771682d13272f48a6815ab4c689d7
SHA2565b4e36faa3700341141a35522c5f9afa5767ba7f0d46a4676ffbf0e8a3d29117
SHA512699fdb5aeedf087f3ebb5425ef69518120c2a4f51d3d45d7608160b315cf17f94d9edafec58d339d8f1700de732f9662005231b1fbf1e96d4816040cb2f26a60
-
Filesize
74KB
MD55daace837c50f6a423dab71ab5eab6dc
SHA100068ac5ce79274407b8b60357ccccfc9c4cae31
SHA2564c69f4101dc5c7b4f6818f981fa841e717b09a90b7b890ba232c8b487e3621d5
SHA512f3e34fc51b41111691c7cb2ddb8fcac9c4cb1821135bae60938da30c1782bca6a620417cd68215effb769c15ff56849fe260954061fd6d92fa99080afe649454
-
Filesize
174B
MD570fd3e695143a6f33f01ba03e2e145a8
SHA12f35693596fc13edcbc22d85740d331a23f054fd
SHA256259b6a0c7670d976754252a352050ebee5e10403175e1a52b391382119036f3f
SHA512c63de2ae5754f1347bce66c3fc05fafb59a957d07c7e698ca5706115627540dfd6f1e281a5819351e5d737f10ad478d9ed398d8abbdd51a3202ed90648de4774
-
Filesize
301KB
MD5827e3cdd6fa549e3e3e912622fd8f711
SHA1decc157d095e2dc54bee3d35e659e67bcc0e049f
SHA256923b810dd9f761016fb30e2c45ddbb0302eb83ea08986edb1b69731cdc81bb18
SHA512eee467c204e725c63a29a25a4085cd6850d46725ed37af3cafc26bd9a2f82f4a520fe060fb003c971d076da91c28d6780b67cdf9cc9d4a48837d787634b1fb7d