Analysis

  • max time kernel
    287s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2023, 12:58

General

  • Target

    cp.exe

  • Size

    5.5MB

  • MD5

    2d58310bb545d2d9b3b562dcd27d8755

  • SHA1

    b00111934a023577c823eb80115df75e8ee6b94c

  • SHA256

    ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe

  • SHA512

    0147f1652cd806b62029d5dcd890b9a508bb01b36926f413b752b2356da8e19407044a5e2d03eb3c53e868a3546328bac4eabe9beb1c17fcfd742cdbd8b8d59a

  • SSDEEP

    98304:zl95YReQ2RgCafgakYfmZiWrwpdXGSZqdNKQeLWk7/xMmsG9AJeHu:zl95nQ6g3k4WrwpdXWwlTpMd7P

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 22 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cp.exe
    "C:\Users\Admin\AppData\Local\Temp\cp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2848
      • C:\ProgramData\pinterests\XRJNZC.exe
        "C:\ProgramData\pinterests\XRJNZC.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
          4⤵
          • Creates scheduled task(s)
          PID:2628
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7B9AB9CA-BA82-4030-B161-979CC6A6EF32} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Executes dropped EXE
      PID:1508
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Executes dropped EXE
      PID:2188
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Executes dropped EXE
      PID:3008
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Executes dropped EXE
      PID:1728
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Executes dropped EXE
      PID:2416

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          396KB

          MD5

          49a4de41a330e3067a95d9fcb6e96e49

          SHA1

          e7713c0b182f3367312493c28980f7b0977ef1db

          SHA256

          bc3c4deef83882f08180358805ac152f9f4a9aed85584ffc4d501db399954ad9

          SHA512

          14dbcc99518b65db198c563a8fb59023529945a4c8de22e2392ff64be822a9750f701d6c6e248e4ce114d8313dc5c9e4f3161d670ef46e37b3e3691aaaad74c2

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          550KB

          MD5

          7e1bf4569ac9626d6f57726e10d8cd9d

          SHA1

          ff01ebe46eab7a1c2cb0074ef7447fe100519041

          SHA256

          ebed1cf0c65b9b95ac712a0481d3880fb2cefd1ae7051b890804fe9c8dc2613f

          SHA512

          24476642c73344a64618b46f68b87f190dfcb07c38fa2909274270caed01bdc26396d8464d8df784820af82feccffc5667fb7dfb248706ead123987b63e89b75

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          4.1MB

          MD5

          97fc90ce77f293466189544a4ae08917

          SHA1

          4444a7037e5963ccb517ae00d64849bb13e7480d

          SHA256

          b410611d0680b3c5668b70660fb28137c67781c59dd8c39a1377a7d2dc0013d6

          SHA512

          c33c7502bbd16b87792ac3bc7ea2c81c305a8cbded8a0778f248b6f3da9907bd42463b0c6d03aba553c9a78393809302d68b6351b9d691f8926f76f8fbe30fe2

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          4.2MB

          MD5

          acb2db049a06e628fc42b67b76835542

          SHA1

          466f8c4305ee2ceb5754da506e543f858f58eeee

          SHA256

          01164bf77a4b2a865d661970c6955049f7825ba9d9dd041938328ab74b4d7978

          SHA512

          216e94e24a2580979e31725ffe121fc9dcdd41344eb772caec5d99bdcf03a7e269d98d00ab19c57b6f3643ef3d7d26a5a0ebd2563b1eded9238006b94be496d9

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          93KB

          MD5

          cc71eb3e2a0256d54e822ffcb1f39424

          SHA1

          527b3670c2e312d5bc2c9790ce558aee99495731

          SHA256

          adfff9fa397d97eb9d74afc4cc8c2a40d604427c92ce664692c890a67c766d79

          SHA512

          7ad0b57879a3a386ae144449f97dc165fb38484f77a50528540f180a24104fc80405472e6dae80d54907366f68933d700735bfa9a7050016fd138a89914ce10b

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          3.7MB

          MD5

          c6e54e75a8f3964411e08ea6ff7205be

          SHA1

          fa6e20feb414fbbc1ff99f8051baabe2331144b8

          SHA256

          e4ab9dd831e876a7d04cfb2a2040ac5b8da7f37e923caf8ccf0bdc0d880c2899

          SHA512

          2da6c59a0875a25c324eb27813cb684937350dfdb58ff2f4d605e9348dc0303374776db7594a8cc7c0af266c6a463aef67596450a88cd5a0ce8d0ff512e7e27f

        • C:\ProgramData\pinterests\XRJNZC.exe

          Filesize

          1.6MB

          MD5

          96065bbca72f86a092447d6ef4f397d8

          SHA1

          b8e98ce298180164f7e8711d4b8dec6ee976dd39

          SHA256

          9eae9e3eed2d5f550fe22297a2d2352b164229a01b1d15a8cb5fef3f6e32ced1

          SHA512

          4d9655bb9988d73eb174101c30dcd0047a41b17c4884c54b6cb7a4740d7fb34f6e607cc8f1ef310f30d8f5f4e3900f5016558aa43c21af32e70302bf37b32a03

        • C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat

          Filesize

          176B

          MD5

          5bc242e249b07840b8bcb7a2395dcfea

          SHA1

          c837caf6ec4dc22d600b0749e422b067069c06d0

          SHA256

          1d19b40faa63bc1a95aec176bfa55dce634d628b5d3f4507608adeb466534ae8

          SHA512

          79dad833e364006237e44c99e0cda2ff336d12661bd3cc39e1525dc436dd5c7a0ab011454e547e21a6a8ad25e3fa2234b01948119cdaadfa0ceaf015fc0cbfb2

        • \ProgramData\pinterests\XRJNZC.exe

          Filesize

          453KB

          MD5

          38a0a78d1c87f907c6df04cc0c374ff8

          SHA1

          cf698b88d3f95c0cd2e38f10f2c163f0b8e45ea2

          SHA256

          2affe3896cd7de67999fc4d8a65e4665ae48dbe6b235557fb45da6d2de782b16

          SHA512

          266a03ef3e3131241821fea936c5820674a39845ccc4870587782dee0a7fecdc5992b314e8db7ac8afffbc491d1acd442bce7f9b917eb06a6227ccb8822e43ce

        • memory/1508-34-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/1508-29-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/1728-53-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/1728-58-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2188-42-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2188-37-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2236-0-0x0000000001080000-0x0000000001AF0000-memory.dmp

          Filesize

          10.4MB

        • memory/2236-5-0x0000000001080000-0x0000000001AF0000-memory.dmp

          Filesize

          10.4MB

        • memory/2416-61-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2416-66-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2840-26-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/2840-21-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/3008-45-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB

        • memory/3008-50-0x0000000000E30000-0x00000000018A0000-memory.dmp

          Filesize

          10.4MB