d5d7e1c5473c7abcd4cda2071fb321f35f592fb289bbb01883454eaea5a64d1d

Analysis

max time kernel
0s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 02:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011de0fe873bc52cd4c56b237d4c2045.exe
Size

571KB
MD5

011de0fe873bc52cd4c56b237d4c2045
SHA1

62842529948c7f6c52a63a50524b354f1a1fcf6d
SHA256

d5d7e1c5473c7abcd4cda2071fb321f35f592fb289bbb01883454eaea5a64d1d
SHA512

2c5a28b153f03674d9bacc397b7e4565104cfc341f1496d9828bdeda28a37edc434901f7185ad5cd6eba9e5f427a09cc96f6aabcaec5fc7f95eda058f561ba29
SSDEEP

12288:YctEagGmcl4gBF1BRnI6hAVebOe1qOX+t4O1Krkr7gZRSya/NWrZEvm:ZR+cl7X1BRnI6hmebOe1qMOMrkkSjZe

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\011de0fe873bc52cd4c56b237d4c2045.exe
"C:\Users\Admin\AppData\Local\Temp\011de0fe873bc52cd4c56b237d4c2045.exe"
1⤵
PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\batch.bat" "
  2⤵
  PID:936

C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe
EXECUTORBYAMMSS1.exe -p02061969 -dC:\Users\Admin\AppData\Local\Temp
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe
  "C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe"
  2⤵
  PID:1952

Network

DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

149.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.177.190.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

2.17.5.133
GET

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

Remote address:

2.17.5.133:80

Request

GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1126
Content-Type: application/octet-stream
Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
ETag: 0x8D62594BC0C84D8
x-ms-request-id: 248119ca-e01e-000c-7bd0-f8d0b8000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Mon, 25 Dec 2023 11:24:50 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCVfc6c8b22.0
ms-cv-esi: CASMicrosoftCVfc6c8b22.0
X-RTag: RT
GET

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

Remote address:

2.17.5.133:80

Request

GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1126
Content-Type: application/octet-stream
Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
ETag: 0x8D62594BC0C84D8
x-ms-request-id: 248119ca-e01e-000c-7bd0-f8d0b8000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Mon, 25 Dec 2023 11:24:51 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCVfc6c9e07.0
ms-cv-esi: CASMicrosoftCVfc6c9e07.0
X-RTag: RT
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

133.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.5.17.2.in-addr.arpa

IN PTR

Response

133.5.17.2.in-addr.arpa

IN PTR

a2-17-5-133deploystaticakamaitechnologiescom
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

182.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.178.17.96.in-addr.arpa

IN PTR

Response

182.178.17.96.in-addr.arpa

IN PTR

a96-17-178-182deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

84.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.65.42.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

g.bing.com

tls

2.8kB
9.5kB
25
20
2.17.5.133:80

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

http

418 B
1.8kB
5
4

HTTP Request

GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

HTTP Response

200
2.17.5.133:80

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

http

418 B
1.8kB
5
4

HTTP Request

GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

HTTP Response

200

8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

149.177.190.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

149.177.190.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

2.17.5.133
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

133.5.17.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

133.5.17.2.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

182.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

182.178.17.96.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

84.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

84.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
18KB

MD5
63b282c8cb7c9c0a9d52a43c8f4ca32e

SHA1
a2389b70ac0a004c5726d5af97553ae9c4cacd51

SHA256
d051842b886fec3095db99490a666cd45a7c4ee8580802167d4eb2e35499e9de

SHA512
15661d80973ab43fde67a6d88b1319437f2397164240989e0a1145711ab0c9dfd6b7dcaa596f4c8d16f826147ce5912c07a34a6747f391cd9e0441bc18a4d8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
13KB

MD5
9aa723408b92bcaca2c7c4be70b333f9

SHA1
fd33496217e42dfb975e8142015e6b8a92c71c46

SHA256
ada4211687721464e6a87830e2f418ce84f4db6205b42197d083ec91ac0ee46e

SHA512
9d6a2cd5eb73181b6ca85579e9f80b40bb1c5ca448c9f67757017b92a92ccc085858b28ea5fb1c6fe960e335e99b3faad7d9926334f78854d4fb32e733d83f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTORBYAMMSS1.exe

Filesize
22KB

MD5
618cdcf7c09078d23a44b7b8cbca424e

SHA1
0e24decdfff10bd4b11bfd94f4d2ebdf7da30314

SHA256
376356f758e6ab9eb70a007ac2efab0422ef602dd705b7ab95d8a1c2489872e5

SHA512
4c43792c096cf515f0121c31f4549c0ab91d9a0a695af3539640a1d053eb799655ac7bd9c8c5a454c11650284d976e0927ce9cebbf7094e2c03603f7fe8eeef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
40B

MD5
b3d4c2729bbf68663609833631c5d8da

SHA1
c49cd084b49e641ff1cc84a705bc0f1f0f59b83a

SHA256
1d6f6c12e1bb88e0adb9ffeafaf2ae8e4224a5f52e570160dd6ed17168934755

SHA512
29b34385665e2308d1581ea9ecc720d311a7aa5081b0cb60a7ca10358c8a1ec4380c1a3bd0dd53bf0ba330443379c8e2e4adfa35f112512c3c9405ea05cb61a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.