fc45b978ed9187c95982fba06da72c4477c514e95b69a17bd9b6cc2974dc789f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b03c438d9166a149a8d89d162de55ac.exe
Size

98KB
MD5

1b03c438d9166a149a8d89d162de55ac
SHA1

a95fcb133889bcacef05e9e8543c72a02d988d8a
SHA256

fc45b978ed9187c95982fba06da72c4477c514e95b69a17bd9b6cc2974dc789f
SHA512

bb5b0be6355af4fd81fac6b5219ac21a01a65967432f4a509904c927f10c68daa1ff622b524893abc9f1d385e9cf63ae366e01429193c847a62d6c0f4db874d1
SSDEEP

1536:V0iGPMjfdGc6wl8bFhuqit6GjJpwCqbbk4B7qZYnouy8BFvJ3/FK1SIz:RGkjlgwapuYCqPk4B7qZQout/G

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2248-9-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\L:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\R:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\W:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\Y:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\J:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\K:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\M:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\Q:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\S:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\V:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\X:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\Z:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\O:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\T:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\U:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\A:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\B:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\E:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\G:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\I:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\N:	1b03c438d9166a149a8d89d162de55ac.exe
File opened (read-only)	\??\P:	1b03c438d9166a149a8d89d162de55ac.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe
2248	1b03c438d9166a149a8d89d162de55ac.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3056	2248	1b03c438d9166a149a8d89d162de55ac.exe	28
PID 2248 wrote to memory of 3056	2248	1b03c438d9166a149a8d89d162de55ac.exe	28
PID 2248 wrote to memory of 3056	2248	1b03c438d9166a149a8d89d162de55ac.exe	28
PID 2248 wrote to memory of 3056	2248	1b03c438d9166a149a8d89d162de55ac.exe	28

C:\Users\Admin\AppData\Local\Temp\1b03c438d9166a149a8d89d162de55ac.exe
"C:\Users\Admin\AppData\Local\Temp\1b03c438d9166a149a8d89d162de55ac.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\uninstf7614a9.bat" "C:\Users\Admin\AppData\Local\Temp\1b03c438d9166a149a8d89d162de55ac.exe""
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uninstf7614a9.bat

Filesize
59B

MD5
2988b921fbed03f9c93c5d538932bbe3

SHA1
4b791b3d59ae76ff091c2cf201b40f5d1b432a3f

SHA256
a1769979622d3d25829be12474ad32ccfdfcac59785dac2fc10ae49c300e4ea3

SHA512
2920c6e9851973371dc238da1ee3c63d41c7820637856ee92c67e9489c1790e3fad287d229440d124e60b978f6819d04b47c40de9034cbd9de422aaafc2b07f9

Download Submit
memory/2248-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2248-9-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download