73e9887198f888736dc70d40475101e70eceb8712f70859089138d7d1f3b90bf

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:12

Target

20d3ed62f03c6b1be31f9d91f0e667bf.exe
Size

146KB
MD5

20d3ed62f03c6b1be31f9d91f0e667bf
SHA1

c2105cbaf0f81f9cec5e81d8a6268c3ca37e7eaa
SHA256

73e9887198f888736dc70d40475101e70eceb8712f70859089138d7d1f3b90bf
SHA512

1084967dc44942e43a3a3f67690792b4670774a17b78f6b6694aaace7caf0410b4cc768f5de1c6123c144599b9ebbe146e01091d349897e69831ec814231e6e7
SSDEEP

768:nMcy8orQNKV/wD4g7ki42zsPBdvBRwqPJQoAm+1CggZIwfjRfEF:aqK4Dii46s5dr4RCBZrjRfE

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2728-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2728	20d3ed62f03c6b1be31f9d91f0e667bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2896	2728	20d3ed62f03c6b1be31f9d91f0e667bf.exe	30
PID 2728 wrote to memory of 2896	2728	20d3ed62f03c6b1be31f9d91f0e667bf.exe	30
PID 2728 wrote to memory of 2896	2728	20d3ed62f03c6b1be31f9d91f0e667bf.exe	30
PID 2728 wrote to memory of 2896	2728	20d3ed62f03c6b1be31f9d91f0e667bf.exe	30

C:\Users\Admin\AppData\Local\Temp\20d3ed62f03c6b1be31f9d91f0e667bf.exe
"C:\Users\Admin\AppData\Local\Temp\20d3ed62f03c6b1be31f9d91f0e667bf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2896

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
210B

MD5
937373dc326c8ab514ffa858f779e14b

SHA1
d30dd51e1cdbe3c7662d6bd78325b3d5a9d08dea

SHA256
979627b12e8ffc1cdfe49019d5947561ef94f4dc7aac356ee784c6718dde9c51

SHA512
bf4bd41d77ce88e09cdf80826b019aae5837620effb21c823e52b9d6d0f27126f35ef4fef5fca5b8c7a1b4abd16f7bae146fb25c9939fc362b441bc82b1513f3

Download Submit
memory/2728-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2728-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download