3ad7c4fb329b59be896bfc649b874181a7ef2eaa220f6b29ae841ccc11224425

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b2d5a879df49a57b8d33b429c7a776e.exe
Size

156KB
MD5

2b2d5a879df49a57b8d33b429c7a776e
SHA1

27e1e7f8d53209a0d4000ed3a0e8c86b0ea6f2a9
SHA256

3ad7c4fb329b59be896bfc649b874181a7ef2eaa220f6b29ae841ccc11224425
SHA512

ac944a5b722c8acb9a2c354691988d1fc5e18cc10e04bae0f0cc025ddee9e9e475f0889f627c9eb930f0cbd808ef995a5f8372f8c6472da1413f743c716ea02a
SSDEEP

3072:1fqKqf6UTbQ0XOXVh06/0NEUYynNELl1RAX61qrZLnVnd:hUf6YQlZ/MY2ilfAq1IZD

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2948	2b2d5a879df49a57b8d33b429c7a776e.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	2b2d5a879df49a57b8d33b429c7a776e.exe
2420	2b2d5a879df49a57b8d33b429c7a776e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0032000000016bf4-5.dat	upx
behavioral1/memory/2420-8-0x00000000027A0000-0x00000000027E6000-memory.dmp	upx
behavioral1/memory/2948-14-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2948-16-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2948	2420	2b2d5a879df49a57b8d33b429c7a776e.exe	28
PID 2420 wrote to memory of 2948	2420	2b2d5a879df49a57b8d33b429c7a776e.exe	28
PID 2420 wrote to memory of 2948	2420	2b2d5a879df49a57b8d33b429c7a776e.exe	28
PID 2420 wrote to memory of 2948	2420	2b2d5a879df49a57b8d33b429c7a776e.exe	28

C:\Users\Admin\AppData\Local\Temp\2b2d5a879df49a57b8d33b429c7a776e.exe
"C:\Users\Admin\AppData\Local\Temp\2b2d5a879df49a57b8d33b429c7a776e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\Temp\MT\2b2d5a879df49a57b8d33b429c7a776e.exe
  "C:\Windows\Temp\MT\2b2d5a879df49a57b8d33b429c7a776e.exe"
  2⤵
  - Executes dropped EXE
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\MT\2b2d5a879df49a57b8d33b429c7a776e.exe

Filesize
95KB

MD5
67d98f91919b91ce5834f6bf1727981c

SHA1
550e13fe9b8a0dd591366519ddbc7ae1c4e0919e

SHA256
65127c0d89eb13c80e07fdd733935511beb208646352b2914d1a3b5dc3d4303b

SHA512
7447ecc20dccf6fba094c41a6bbcf6f2af495d3b012e406dadda96e72f368413bd73186386aeaf39d41c346189330128d03b2a34fe5aa16252a695e5a7578443

Download Submit
memory/2420-8-0x00000000027A0000-0x00000000027E6000-memory.dmp

Filesize
280KB

Download
memory/2948-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2948-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download