d5d7e1c5473c7abcd4cda2071fb321f35f592fb289bbb01883454eaea5a64d1d

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011de0fe873bc52cd4c56b237d4c2045.exe
Size

571KB
MD5

011de0fe873bc52cd4c56b237d4c2045
SHA1

62842529948c7f6c52a63a50524b354f1a1fcf6d
SHA256

d5d7e1c5473c7abcd4cda2071fb321f35f592fb289bbb01883454eaea5a64d1d
SHA512

2c5a28b153f03674d9bacc397b7e4565104cfc341f1496d9828bdeda28a37edc434901f7185ad5cd6eba9e5f427a09cc96f6aabcaec5fc7f95eda058f561ba29
SSDEEP

12288:YctEagGmcl4gBF1BRnI6hAVebOe1qOX+t4O1Krkr7gZRSya/NWrZEvm:ZR+cl7X1BRnI6hmebOe1qMOMrkkSjZe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2128	EXECUTORBYAMMSS1.exe
2572	EXECUTORBYAMMSS1.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	cmd.exe
2128	EXECUTORBYAMMSS1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1528	888	011de0fe873bc52cd4c56b237d4c2045.exe	20
PID 888 wrote to memory of 1528	888	011de0fe873bc52cd4c56b237d4c2045.exe	20
PID 888 wrote to memory of 1528	888	011de0fe873bc52cd4c56b237d4c2045.exe	20
PID 1528 wrote to memory of 2128	1528	cmd.exe	18
PID 1528 wrote to memory of 2128	1528	cmd.exe	18
PID 1528 wrote to memory of 2128	1528	cmd.exe	18
PID 2128 wrote to memory of 2572	2128	EXECUTORBYAMMSS1.exe	17
PID 2128 wrote to memory of 2572	2128	EXECUTORBYAMMSS1.exe	17
PID 2128 wrote to memory of 2572	2128	EXECUTORBYAMMSS1.exe	17

C:\Users\Admin\AppData\Local\Temp\011de0fe873bc52cd4c56b237d4c2045.exe
"C:\Users\Admin\AppData\Local\Temp\011de0fe873bc52cd4c56b237d4c2045.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\batch.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1528

C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe
"C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe
EXECUTORBYAMMSS1.exe -p02061969 -dC:\Users\Admin\AppData\Local\Temp
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
86KB

MD5
40bfb6dbac881878aeddccdb175f661a

SHA1
24204fd60fede8e907fc34d1fd56610937d048c7

SHA256
19a271ceb3659c50e7d41ceb9164f21a46e16b02b4b23707eb4c9615de71c59b

SHA512
7b0ea3dfc7db6a0eae4e3a6207cd86bb0ac81de4fe946e87a8b891f80d2c47dbc2aca964811020411032729b01ac336e4a139ab3ff859b7afd5d9cf82547c28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
375KB

MD5
a28a858ee75ac8e9c5b89053820ac2d0

SHA1
504362e3a3db635523bc854ce1219903bc512dcd

SHA256
37ce5d127b19353a4ce7f8916df55fa865228c6760b336d5124162b5dd1db29f

SHA512
5625e77c6971560879c92ce1018b5b86c9e1a4c39ef748e60ad81a8df8ec99cc070d9a2401ddd089de40291e65671f160c641b3bdcd2676220f9c02c6f260d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
389KB

MD5
fd9c303d455178c51fcbfb0b9720adc7

SHA1
5362fabbd46be79229f0f3783372ea6ca65cec98

SHA256
8b81c4d166c321787268fcfd9d8b614807bf58846ec7392b2f43c3634be3c947

SHA512
8b226d63ef74883c4006e6b282ba649738b4cb36d174baf89ef27887edc70f34a4282936d89d252f1b51dc4c6480f6cfcb40416efe05bc5ab25759320447a9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
40B

MD5
b3d4c2729bbf68663609833631c5d8da

SHA1
c49cd084b49e641ff1cc84a705bc0f1f0f59b83a

SHA256
1d6f6c12e1bb88e0adb9ffeafaf2ae8e4224a5f52e570160dd6ed17168934755

SHA512
29b34385665e2308d1581ea9ecc720d311a7aa5081b0cb60a7ca10358c8a1ec4380c1a3bd0dd53bf0ba330443379c8e2e4adfa35f112512c3c9405ea05cb61a9

Download Submit