82181feef7f771b83a2507f4190b584cb0098185765a8031fabcc11c8a1662bf

Analysis

max time kernel
132s
max time network
165s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 10:50

Target

166e66e2ebf35b6cd7dec9cc32148b17.exe
Size

1.0MB
MD5

166e66e2ebf35b6cd7dec9cc32148b17
SHA1

44da381061aafeaea7729c3a900d62a21a083def
SHA256

82181feef7f771b83a2507f4190b584cb0098185765a8031fabcc11c8a1662bf
SHA512

4c9f34f6ceb91eebb10d0c0bc0fcb364e453fadde52d6bbef5cfd4f05014e3adddba62e9af6e132f7270386673d9f1f58ac0cbbaf062e16c6b7dc7b59eb48008
SSDEEP

24576:I4lavt0LkLL9IMixoEFNYVAiEI7QYnbAhbK:fkwkn9IMSNYVf775bY

Score

5^/10

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x0000000000510000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

166e66e2ebf35b6cd7dec9cc32148b17.exe

pid process

2924 166e66e2ebf35b6cd7dec9cc32148b17.exe

pid	process
2924	166e66e2ebf35b6cd7dec9cc32148b17.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

166e66e2ebf35b6cd7dec9cc32148b17.exe

description	pid	process	target process
PID 2924 wrote to memory of 2240	2924	166e66e2ebf35b6cd7dec9cc32148b17.exe	MSBuild.exe
PID 2924 wrote to memory of 2240	2924	166e66e2ebf35b6cd7dec9cc32148b17.exe	MSBuild.exe
PID 2924 wrote to memory of 2240	2924	166e66e2ebf35b6cd7dec9cc32148b17.exe	MSBuild.exe
PID 2924 wrote to memory of 2240	2924	166e66e2ebf35b6cd7dec9cc32148b17.exe	MSBuild.exe
PID 2924 wrote to memory of 2240	2924	166e66e2ebf35b6cd7dec9cc32148b17.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\166e66e2ebf35b6cd7dec9cc32148b17.exe
"C:\Users\Admin\AppData\Local\Temp\166e66e2ebf35b6cd7dec9cc32148b17.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\166e66e2ebf35b6cd7dec9cc32148b17.exe"
  2⤵
  PID:2240

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\gwytcqttmkmc

Filesize
219KB

MD5
097a04a896638287260aad7889f6bc71

SHA1
470e52ef8aef07d757863dd809540ceeee52d6f9

SHA256
93af202ac85c36f2904e3ac3a768a5aa3b6d98a1746135bc53af5b0d0fe0fc9d

SHA512
5ba1ea01bb651cb9271e103a1dbb089c5114d1747a93a373e9ae962f5a6233a1d1e41713d4a07992324c10ee98c30d7e6d4c8a9da2ec84c9e6474f63ced92f9f

Download Submit
memory/2924-0-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2924-7-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2924-8-0x0000000002620000-0x0000000002622000-memory.dmp

Filesize
8KB

Download