db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

024cde85d1a11c1b2e6749ec80b50fad.exe
Size

2.8MB
MD5

024cde85d1a11c1b2e6749ec80b50fad
SHA1

5f7226f27b0106f6050ce61d78e9c0fc8cfb8373
SHA256

db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b
SHA512

5016d4eb26602300e49365186ce768026ac73927f41773883a6fc43376b622bc76a2d72d675cfa29224540cf82f8291a9ed03b0d5b762678d30b29f963ee7ccc
SSDEEP

49152:KynUHNR9PKXUm1WHyilGSvn/5Kaq1rO5n8UXRaa/B03ak8JqFJ7BHKQk6j:KyUHNjSXUmIHy8Zv/Uaq1yJqak8JqbFR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bitsfx.txt

pid process

2780 bitsfx.txt
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2668 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2780	bitsfx.txt

pid	process
2668	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

024cde85d1a11c1b2e6749ec80b50fad.execmd.execmd.exe

description	pid	process	target process
PID 2296 wrote to memory of 2372	2296	024cde85d1a11c1b2e6749ec80b50fad.exe	cmd.exe
PID 2296 wrote to memory of 2372	2296	024cde85d1a11c1b2e6749ec80b50fad.exe	cmd.exe
PID 2296 wrote to memory of 2372	2296	024cde85d1a11c1b2e6749ec80b50fad.exe	cmd.exe
PID 2296 wrote to memory of 2372	2296	024cde85d1a11c1b2e6749ec80b50fad.exe	cmd.exe
PID 2372 wrote to memory of 2668	2372	cmd.exe	cmd.exe
PID 2372 wrote to memory of 2668	2372	cmd.exe	cmd.exe
PID 2372 wrote to memory of 2668	2372	cmd.exe	cmd.exe
PID 2372 wrote to memory of 2668	2372	cmd.exe	cmd.exe
PID 2668 wrote to memory of 2780	2668	cmd.exe	bitsfx.txt
PID 2668 wrote to memory of 2780	2668	cmd.exe	bitsfx.txt
PID 2668 wrote to memory of 2780	2668	cmd.exe	bitsfx.txt
PID 2668 wrote to memory of 2780	2668	cmd.exe	bitsfx.txt

C:\Users\Admin\AppData\Local\Temp\024cde85d1a11c1b2e6749ec80b50fad.exe
"C:\Users\Admin\AppData\Local\Temp\024cde85d1a11c1b2e6749ec80b50fad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C bitsfx.txt -p123
2⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
1⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
1⤵
PID:2824

C:\Windows\SysWOW64\xcopy.exe
xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
1⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
1⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
1⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
1⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bitsfx.txt
bitsfx.txt -p123
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C bitsfx.txt -p123
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\bitsfx.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2780-11-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download