57d6ced38d7705f729ab53bb3958ae73ccd16ae10767389b6e75c5e0c52fccdd

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 05:00

Target

5640a71d0b26c0915e9fc5796ac9317f.exe
Size

65KB
MD5

5640a71d0b26c0915e9fc5796ac9317f
SHA1

16aa66096dbedb9fb52276022b2ca94b5883f8a8
SHA256

57d6ced38d7705f729ab53bb3958ae73ccd16ae10767389b6e75c5e0c52fccdd
SHA512

ad72d46f0ef6b2f3fc5d73708003e24d0528eeaa5b134f3be6fbf7ace95159f3ca222ab5deca1533cad7a8df88aea9e2388ffb66a31ade122579135cf8dcb392
SSDEEP

1536:bbTfZ9dJVSA9j4QbTNVC7M3HO3P5ifqrBDfQZ4k:vTRmO/bTNV7gP5if4dfsD

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1960-1-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1960-3-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	5640a71d0b26c0915e9fc5796ac9317f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2976	1960	5640a71d0b26c0915e9fc5796ac9317f.exe	29
PID 1960 wrote to memory of 2976	1960	5640a71d0b26c0915e9fc5796ac9317f.exe	29
PID 1960 wrote to memory of 2976	1960	5640a71d0b26c0915e9fc5796ac9317f.exe	29
PID 1960 wrote to memory of 2976	1960	5640a71d0b26c0915e9fc5796ac9317f.exe	29

C:\Users\Admin\AppData\Local\Temp\5640a71d0b26c0915e9fc5796ac9317f.exe
"C:\Users\Admin\AppData\Local\Temp\5640a71d0b26c0915e9fc5796ac9317f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xzp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2976

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Xzp..bat

Filesize
210B

MD5
29134bd3f2c1359f5439cc3ee287b426

SHA1
c251adb38b12c26fa51de3b52d40c70dea5c323d

SHA256
7fbb23791a34f95dcd58e4c3f36106bac81238e809a8543d1fea4e7ae02b14f8

SHA512
61e9ada0a3bf6ccfc9c54fd6669f8f3c4f6d5781f59cb6f2ba1576511429720df1ce463632e4dc8fd175b2217c88cfc2554e11b52168ef71472374304fd8a8c8

Download Submit
memory/1960-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1960-0-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1960-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download