Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 21:40
Behavioral task
behavioral1
Sample
1d501bb383ed069f74657f920edb8044.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1d501bb383ed069f74657f920edb8044.exe
Resource
win10v2004-20231215-en
General
-
Target
1d501bb383ed069f74657f920edb8044.exe
-
Size
474KB
-
MD5
1d501bb383ed069f74657f920edb8044
-
SHA1
6fc4f449db13b8c4faf97fe1d623e9e11f40e29d
-
SHA256
36c39f878a51e74083e90d2e1d350bb14c8b32f2b6db4af0f164475cc8e1ce73
-
SHA512
bed342e4d6a179b821b53b6db745991a9ac55248409c5401e8bf0e22f464d77824f62062b20eb9097998812c3c3a31620330eed330d05de79c148bb8ec4a19b6
-
SSDEEP
12288:Eb1NwuGkcEah4/auHFkrfKOeBhjXsJcLkc1S:EbRpO4/aulKpUrsJIkcs
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0006000000023223-9.dat aspack_v212_v242 behavioral2/files/0x0006000000023223-15.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4140 1d501bb383ed069f74657f920edb8044.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
AutoIT Executable 21 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4136-1-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4136-3-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4136-2-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4136-4-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4136-5-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4136-6-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4140-12-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-13-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-14-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4136-11-0x0000000000270000-0x0000000000369000-memory.dmp autoit_exe behavioral2/memory/4140-16-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-17-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-18-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-19-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-20-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-21-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-22-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-23-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-24-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-25-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe behavioral2/memory/4140-26-0x00000000009B0000-0x0000000000AA9000-memory.dmp autoit_exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4140 1d501bb383ed069f74657f920edb8044.exe 4140 1d501bb383ed069f74657f920edb8044.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4140 1d501bb383ed069f74657f920edb8044.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4136 wrote to memory of 1628 4136 1d501bb383ed069f74657f920edb8044.exe 100 PID 4136 wrote to memory of 1628 4136 1d501bb383ed069f74657f920edb8044.exe 100 PID 4136 wrote to memory of 1628 4136 1d501bb383ed069f74657f920edb8044.exe 100 PID 4136 wrote to memory of 4140 4136 1d501bb383ed069f74657f920edb8044.exe 102 PID 4136 wrote to memory of 4140 4136 1d501bb383ed069f74657f920edb8044.exe 102 PID 4136 wrote to memory of 4140 4136 1d501bb383ed069f74657f920edb8044.exe 102 PID 1628 wrote to memory of 3720 1628 cmd.exe 104 PID 1628 wrote to memory of 3720 1628 cmd.exe 104 PID 1628 wrote to memory of 3720 1628 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d501bb383ed069f74657f920edb8044.exe"C:\Users\Admin\AppData\Local\Temp\1d501bb383ed069f74657f920edb8044.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn affeUpdates /tr 'C:\Users\Admin\AppData\Local\Microsoft\Windows\1d501bb383ed069f74657f920edb8044.exe'2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 5 /tn affeUpdates /tr 'C:\Users\Admin\AppData\Local\Microsoft\Windows\1d501bb383ed069f74657f920edb8044.exe'3⤵
- Creates scheduled task(s)
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\1d501bb383ed069f74657f920edb8044.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\1d501bb383ed069f74657f920edb8044.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD5bd3fa7eacd32e2d611398f0d518e9d7d
SHA114fa8a57926523806225d2bc5b2e81187d0e1166
SHA25601e7cfdf7169a462a98425f3c8bed064d9ca862a6aec7e23723c2108186c3a01
SHA5121ad395ac087a103aa9ce49add0c44ec724ebfbbdd0b22c150c878108fd4899221cc45af0c7b26197a1f5eebf5ac3b1f4adfa1b049e8c848ca76662f33d1b952e
-
Filesize
474KB
MD51d501bb383ed069f74657f920edb8044
SHA16fc4f449db13b8c4faf97fe1d623e9e11f40e29d
SHA25636c39f878a51e74083e90d2e1d350bb14c8b32f2b6db4af0f164475cc8e1ce73
SHA512bed342e4d6a179b821b53b6db745991a9ac55248409c5401e8bf0e22f464d77824f62062b20eb9097998812c3c3a31620330eed330d05de79c148bb8ec4a19b6