00deb73a1738a3b3bfd9504b70775d668581f504481c7f37c20831504f9b77aa

Analysis

max time kernel
79s
max time network
187s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

сентябрь 2023(570)/045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe
Size

353KB
MD5

ea43f0645fd447ab4201f8d695876740
SHA1

6d0f0a6000cb9a2d4faf45eeac86ac7b6cf2dd08
SHA256

045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee
SHA512

bc232de46325c6ff6272d37bd1170dbb5d10e8ba2faa9db8fd5c24891542f1c0149a54787deb10a57a55a4a1efbe6d370e8f0270408f563b775d34bbc6d380ee
SSDEEP

6144:aSOvOmqgkVGrLda6FvB76uWBM+evnWI+Xiw:ah71kVGHdaBuH+efWI+Xi

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2040 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2040 taskkill.exe

pid	process
2040	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2040	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 1984	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1984	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1984	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1984	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1516	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1516	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1516	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 1516	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2748	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2748	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2748	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2748	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2972	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2972	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2972	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 2972	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 580	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 580	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 580	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 292 wrote to memory of 580	292	045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe	cmd.exe
PID 580 wrote to memory of 2040	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 2040	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 2040	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 2040	580	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe
"C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3079079840.exe"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\5387836408.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8583212122.exe"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3056344257.exe"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\???????? 2023(570)\045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3056344257.exe

Filesize
34B

MD5
75fb0faeb08281270ecd3d726609b2fd

SHA1
3492de726e42411c2d9c99adc78f2de71e21a462

SHA256
01fcaba669ad9bf7534cc95ef1ca8c569ae63da811cde446332fa5867bfa7a1a

SHA512
f40eb1cf2067bf0de40b4565cde09ce3b7e134b854129c86794e6fd75d402b242e2bc43a9de0279ed3c65424dae57ef51ce5f986cdd79c29cde71c1e8144f8ed

Download Submit
memory/292-1-0x0000000002620000-0x0000000002720000-memory.dmp

Filesize
1024KB

Download
memory/292-2-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/292-3-0x0000000000400000-0x00000000025AB000-memory.dmp

Filesize
33.7MB

Download
memory/292-29-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/292-30-0x0000000002620000-0x0000000002720000-memory.dmp

Filesize
1024KB

Download
memory/292-28-0x0000000000400000-0x00000000025AB000-memory.dmp

Filesize
33.7MB

Download