Analysis
-
max time kernel
287s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/12/2023, 12:58
Behavioral task
behavioral1
Sample
cp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cp.exe
Resource
win10v2004-20231215-en
General
-
Target
cp.exe
-
Size
5.5MB
-
MD5
2d58310bb545d2d9b3b562dcd27d8755
-
SHA1
b00111934a023577c823eb80115df75e8ee6b94c
-
SHA256
ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe
-
SHA512
0147f1652cd806b62029d5dcd890b9a508bb01b36926f413b752b2356da8e19407044a5e2d03eb3c53e868a3546328bac4eabe9beb1c17fcfd742cdbd8b8d59a
-
SSDEEP
98304:zl95YReQ2RgCafgakYfmZiWrwpdXGSZqdNKQeLWk7/xMmsG9AJeHu:zl95nQ6g3k4WrwpdXWwlTpMd7P
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2840 XRJNZC.exe 1508 XRJNZC.exe 2188 XRJNZC.exe 3008 XRJNZC.exe 1728 XRJNZC.exe 2416 XRJNZC.exe -
Loads dropped DLL 1 IoCs
pid Process 2696 cmd.exe -
resource yara_rule behavioral1/memory/2236-0-0x0000000001080000-0x0000000001AF0000-memory.dmp vmprotect behavioral1/memory/2236-5-0x0000000001080000-0x0000000001AF0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-20.dat vmprotect behavioral1/files/0x0008000000012281-19.dat vmprotect behavioral1/files/0x0008000000012281-18.dat vmprotect behavioral1/memory/2840-21-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/2840-26-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-28.dat vmprotect behavioral1/memory/1508-29-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/1508-34-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-36.dat vmprotect behavioral1/memory/2188-37-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/2188-42-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-44.dat vmprotect behavioral1/memory/3008-45-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/3008-50-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-52.dat vmprotect behavioral1/memory/1728-53-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/1728-58-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/files/0x0008000000012281-60.dat vmprotect behavioral1/memory/2416-61-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect behavioral1/memory/2416-66-0x0000000000E30000-0x00000000018A0000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2848 timeout.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2696 2236 cp.exe 29 PID 2236 wrote to memory of 2696 2236 cp.exe 29 PID 2236 wrote to memory of 2696 2236 cp.exe 29 PID 2236 wrote to memory of 2696 2236 cp.exe 29 PID 2696 wrote to memory of 2848 2696 cmd.exe 30 PID 2696 wrote to memory of 2848 2696 cmd.exe 30 PID 2696 wrote to memory of 2848 2696 cmd.exe 30 PID 2696 wrote to memory of 2848 2696 cmd.exe 30 PID 2696 wrote to memory of 2840 2696 cmd.exe 31 PID 2696 wrote to memory of 2840 2696 cmd.exe 31 PID 2696 wrote to memory of 2840 2696 cmd.exe 31 PID 2696 wrote to memory of 2840 2696 cmd.exe 31 PID 2840 wrote to memory of 2628 2840 XRJNZC.exe 33 PID 2840 wrote to memory of 2628 2840 XRJNZC.exe 33 PID 2840 wrote to memory of 2628 2840 XRJNZC.exe 33 PID 2840 wrote to memory of 2628 2840 XRJNZC.exe 33 PID 476 wrote to memory of 1508 476 taskeng.exe 37 PID 476 wrote to memory of 1508 476 taskeng.exe 37 PID 476 wrote to memory of 1508 476 taskeng.exe 37 PID 476 wrote to memory of 1508 476 taskeng.exe 37 PID 476 wrote to memory of 2188 476 taskeng.exe 38 PID 476 wrote to memory of 2188 476 taskeng.exe 38 PID 476 wrote to memory of 2188 476 taskeng.exe 38 PID 476 wrote to memory of 2188 476 taskeng.exe 38 PID 476 wrote to memory of 3008 476 taskeng.exe 39 PID 476 wrote to memory of 3008 476 taskeng.exe 39 PID 476 wrote to memory of 3008 476 taskeng.exe 39 PID 476 wrote to memory of 3008 476 taskeng.exe 39 PID 476 wrote to memory of 1728 476 taskeng.exe 40 PID 476 wrote to memory of 1728 476 taskeng.exe 40 PID 476 wrote to memory of 1728 476 taskeng.exe 40 PID 476 wrote to memory of 1728 476 taskeng.exe 40 PID 476 wrote to memory of 2416 476 taskeng.exe 41 PID 476 wrote to memory of 2416 476 taskeng.exe 41 PID 476 wrote to memory of 2416 476 taskeng.exe 41 PID 476 wrote to memory of 2416 476 taskeng.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\cp.exe"C:\Users\Admin\AppData\Local\Temp\cp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2848
-
-
C:\ProgramData\pinterests\XRJNZC.exe"C:\ProgramData\pinterests\XRJNZC.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f4⤵
- Creates scheduled task(s)
PID:2628
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7B9AB9CA-BA82-4030-B161-979CC6A6EF32} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:476 -
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
PID:1508
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
PID:3008
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe2⤵
- Executes dropped EXE
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD549a4de41a330e3067a95d9fcb6e96e49
SHA1e7713c0b182f3367312493c28980f7b0977ef1db
SHA256bc3c4deef83882f08180358805ac152f9f4a9aed85584ffc4d501db399954ad9
SHA51214dbcc99518b65db198c563a8fb59023529945a4c8de22e2392ff64be822a9750f701d6c6e248e4ce114d8313dc5c9e4f3161d670ef46e37b3e3691aaaad74c2
-
Filesize
550KB
MD57e1bf4569ac9626d6f57726e10d8cd9d
SHA1ff01ebe46eab7a1c2cb0074ef7447fe100519041
SHA256ebed1cf0c65b9b95ac712a0481d3880fb2cefd1ae7051b890804fe9c8dc2613f
SHA51224476642c73344a64618b46f68b87f190dfcb07c38fa2909274270caed01bdc26396d8464d8df784820af82feccffc5667fb7dfb248706ead123987b63e89b75
-
Filesize
4.1MB
MD597fc90ce77f293466189544a4ae08917
SHA14444a7037e5963ccb517ae00d64849bb13e7480d
SHA256b410611d0680b3c5668b70660fb28137c67781c59dd8c39a1377a7d2dc0013d6
SHA512c33c7502bbd16b87792ac3bc7ea2c81c305a8cbded8a0778f248b6f3da9907bd42463b0c6d03aba553c9a78393809302d68b6351b9d691f8926f76f8fbe30fe2
-
Filesize
4.2MB
MD5acb2db049a06e628fc42b67b76835542
SHA1466f8c4305ee2ceb5754da506e543f858f58eeee
SHA25601164bf77a4b2a865d661970c6955049f7825ba9d9dd041938328ab74b4d7978
SHA512216e94e24a2580979e31725ffe121fc9dcdd41344eb772caec5d99bdcf03a7e269d98d00ab19c57b6f3643ef3d7d26a5a0ebd2563b1eded9238006b94be496d9
-
Filesize
93KB
MD5cc71eb3e2a0256d54e822ffcb1f39424
SHA1527b3670c2e312d5bc2c9790ce558aee99495731
SHA256adfff9fa397d97eb9d74afc4cc8c2a40d604427c92ce664692c890a67c766d79
SHA5127ad0b57879a3a386ae144449f97dc165fb38484f77a50528540f180a24104fc80405472e6dae80d54907366f68933d700735bfa9a7050016fd138a89914ce10b
-
Filesize
3.7MB
MD5c6e54e75a8f3964411e08ea6ff7205be
SHA1fa6e20feb414fbbc1ff99f8051baabe2331144b8
SHA256e4ab9dd831e876a7d04cfb2a2040ac5b8da7f37e923caf8ccf0bdc0d880c2899
SHA5122da6c59a0875a25c324eb27813cb684937350dfdb58ff2f4d605e9348dc0303374776db7594a8cc7c0af266c6a463aef67596450a88cd5a0ce8d0ff512e7e27f
-
Filesize
1.6MB
MD596065bbca72f86a092447d6ef4f397d8
SHA1b8e98ce298180164f7e8711d4b8dec6ee976dd39
SHA2569eae9e3eed2d5f550fe22297a2d2352b164229a01b1d15a8cb5fef3f6e32ced1
SHA5124d9655bb9988d73eb174101c30dcd0047a41b17c4884c54b6cb7a4740d7fb34f6e607cc8f1ef310f30d8f5f4e3900f5016558aa43c21af32e70302bf37b32a03
-
Filesize
176B
MD55bc242e249b07840b8bcb7a2395dcfea
SHA1c837caf6ec4dc22d600b0749e422b067069c06d0
SHA2561d19b40faa63bc1a95aec176bfa55dce634d628b5d3f4507608adeb466534ae8
SHA51279dad833e364006237e44c99e0cda2ff336d12661bd3cc39e1525dc436dd5c7a0ab011454e547e21a6a8ad25e3fa2234b01948119cdaadfa0ceaf015fc0cbfb2
-
Filesize
453KB
MD538a0a78d1c87f907c6df04cc0c374ff8
SHA1cf698b88d3f95c0cd2e38f10f2c163f0b8e45ea2
SHA2562affe3896cd7de67999fc4d8a65e4665ae48dbe6b235557fb45da6d2de782b16
SHA512266a03ef3e3131241821fea936c5820674a39845ccc4870587782dee0a7fecdc5992b314e8db7ac8afffbc491d1acd442bce7f9b917eb06a6227ccb8822e43ce