bcfe69a55ba465833d3625601fc931ad73757e8f4a3295cbb6461dffcbf11822

Analysis

max time kernel
125s
max time network
37s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe
Size

53KB
MD5

1ade2900d6b30b0e0dbcfd3a00b1bb8f
SHA1

0132aa32c0fbf27120345e59b8c17fd4542dbab4
SHA256

bcfe69a55ba465833d3625601fc931ad73757e8f4a3295cbb6461dffcbf11822
SHA512

fdaed71f8b28384fb318c2b491d08a76461ca78a3c4c2286419f1ec483ae8de6f465d370799d351987732f63e7db111e05cfc75b217c39b04e9c372bd27a8495
SSDEEP

1536:fAUPLrvsnKLmv+y6+9m0NsfgMLim/0HA1y0ZyA9n9X5cKyzCsVt0kXm/EvE:fAyLrrmGyb9m0NsfgMLim/0HA1y0Z

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-4-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1796-6-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1796-10-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1796-20-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1796-22-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1796-21-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	1796	WerFault.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 1796	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	28
PID 2980 wrote to memory of 2864	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	29
PID 2980 wrote to memory of 2864	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	29
PID 2980 wrote to memory of 2864	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	29
PID 2980 wrote to memory of 2864	2980	1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe	29
PID 1796 wrote to memory of 1632	1796	svchost.exe	31
PID 1796 wrote to memory of 1632	1796	svchost.exe	31
PID 1796 wrote to memory of 1632	1796	svchost.exe	31
PID 1796 wrote to memory of 1632	1796	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe
"C:\Users\Admin\AppData\Local\Temp\1ade2900d6b30b0e0dbcfd3a00b1bb8f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 88
    3⤵
    - Program crash
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "
  2⤵
  - Deletes itself
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
176B

MD5
03a4db277385ece4605d1e96eed53364

SHA1
c9fe691226ec8fc3bf1fb31004c96d5a70e97d75

SHA256
02fc25b1ff7b9ebcff2965bedd89ca2837d4bf7f0eeb2c888b8833ba876d9164

SHA512
9c0d976bbefa9593ed052c28a143a7f434c61f4e8012f5a372855490f1421509698d97da36efdfabf96798ec5062b025b0240cb09f55b8817a1f3d1ddd56b0eb

Download Submit
memory/1796-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1796-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download