77e84010c8a9c313b0053e72c34d53e06e43ef4f132908ce8f2b074380d9cef3

Analysis

max time kernel
201s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20777bb6c104af67be81df5178e587be.exe
Size

373KB
MD5

20777bb6c104af67be81df5178e587be
SHA1

0f574f8d0b9a0f82b1b20014180ed9bc19428da0
SHA256

77e84010c8a9c313b0053e72c34d53e06e43ef4f132908ce8f2b074380d9cef3
SHA512

5106838696bf71f081821237e468eb283dec2d29d2cf7ce1d4436cae137ab440643e1126dffc9a1cacb10599c530e12df5160b72c72ff69628b9c9e3bbc6b93f
SSDEEP

6144:UlZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lLI24VLUU/F2j:UHLUMuiv9RgfSjAzRtyw9vFQ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3012-2-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3012-3-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3012-4-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3012-5-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3012-4-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/3012-5-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
368	3012	WerFault.exe	11

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 368	3012	20777bb6c104af67be81df5178e587be.exe	29
PID 3012 wrote to memory of 368	3012	20777bb6c104af67be81df5178e587be.exe	29
PID 3012 wrote to memory of 368	3012	20777bb6c104af67be81df5178e587be.exe	29
PID 3012 wrote to memory of 368	3012	20777bb6c104af67be81df5178e587be.exe	29

C:\Users\Admin\AppData\Local\Temp\20777bb6c104af67be81df5178e587be.exe
"C:\Users\Admin\AppData\Local\Temp\20777bb6c104af67be81df5178e587be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 296
  2⤵
  - Program crash
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3012-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3012-3-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3012-4-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3012-5-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download