e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165

Analysis

max time kernel
282s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe
Size

5.3MB
MD5

97f28fc0ad22bd6edb9ab6ef96ded82e
SHA1

fb2797eb0c08c440e0d8dd5c076eb4833f86ce1f
SHA256

e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165
SHA512

0ca7a767bce16c793115036d14a108afc992b2c7418e47885aa5fb710239e97a7cbf35e85a46f8966b9bb48b26eb466439f933d9e1f165dc7530a4741b7c81fd
SSDEEP

98304:dwpbeh4p9ph30bTpDji7yejCO3vtY14TFSbYTrkXkHVC5f9robTL9dm4vlYYph8r:d8p9ph3oTli7HVVNxOO7H45f9UZU4NYz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2712	XRJNZC.exe
2948	XRJNZC.exe
776	XRJNZC.exe
2676	XRJNZC.exe
1660	XRJNZC.exe
760	XRJNZC.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	cmd.exe
2028	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2804	timeout.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2028	1876	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	29
PID 1876 wrote to memory of 2028	1876	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	29
PID 1876 wrote to memory of 2028	1876	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	29
PID 1876 wrote to memory of 2028	1876	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	29
PID 2028 wrote to memory of 2804	2028	cmd.exe	30
PID 2028 wrote to memory of 2804	2028	cmd.exe	30
PID 2028 wrote to memory of 2804	2028	cmd.exe	30
PID 2028 wrote to memory of 2804	2028	cmd.exe	30
PID 2028 wrote to memory of 2712	2028	cmd.exe	31
PID 2028 wrote to memory of 2712	2028	cmd.exe	31
PID 2028 wrote to memory of 2712	2028	cmd.exe	31
PID 2028 wrote to memory of 2712	2028	cmd.exe	31
PID 2712 wrote to memory of 2756	2712	XRJNZC.exe	33
PID 2712 wrote to memory of 2756	2712	XRJNZC.exe	33
PID 2712 wrote to memory of 2756	2712	XRJNZC.exe	33
PID 2712 wrote to memory of 2756	2712	XRJNZC.exe	33
PID 2892 wrote to memory of 2948	2892	taskeng.exe	37
PID 2892 wrote to memory of 2948	2892	taskeng.exe	37
PID 2892 wrote to memory of 2948	2892	taskeng.exe	37
PID 2892 wrote to memory of 2948	2892	taskeng.exe	37
PID 2892 wrote to memory of 776	2892	taskeng.exe	38
PID 2892 wrote to memory of 776	2892	taskeng.exe	38
PID 2892 wrote to memory of 776	2892	taskeng.exe	38
PID 2892 wrote to memory of 776	2892	taskeng.exe	38
PID 2892 wrote to memory of 2676	2892	taskeng.exe	39
PID 2892 wrote to memory of 2676	2892	taskeng.exe	39
PID 2892 wrote to memory of 2676	2892	taskeng.exe	39
PID 2892 wrote to memory of 2676	2892	taskeng.exe	39
PID 2892 wrote to memory of 1660	2892	taskeng.exe	40
PID 2892 wrote to memory of 1660	2892	taskeng.exe	40
PID 2892 wrote to memory of 1660	2892	taskeng.exe	40
PID 2892 wrote to memory of 1660	2892	taskeng.exe	40
PID 2892 wrote to memory of 760	2892	taskeng.exe	41
PID 2892 wrote to memory of 760	2892	taskeng.exe	41
PID 2892 wrote to memory of 760	2892	taskeng.exe	41
PID 2892 wrote to memory of 760	2892	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe
"C:\Users\Admin\AppData\Local\Temp\e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1g4.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2756

C:\Windows\system32\taskeng.exe
taskeng.exe {30490FE5-97A0-4918-90C1-82DB8B5EB6F6} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
1008KB

MD5
785f8700fcd4498b958ca01fe0c747a3

SHA1
b7c2291df0dd672b8c948386a17edfef9cda3954

SHA256
4d73645015288b64f2c9dd4e3e50582cd036c42a0c37c69ac3cf4d72b8fca0cd

SHA512
b0d3b38b6770194abdaf24d266d3adf653da1407a3a55be2cbfbb68855703435468651cc82f4875f8b52d11f11031dc5eb2880e3ab0ca4d8eaa71f877e0b9879

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
4.6MB

MD5
e802697da6eab19b9cce184405a27b28

SHA1
b0e11d4222993dea1a139ccd07aeb95de61fea3e

SHA256
e290909604acb5f90d8581103a6c3d35e470bf27a034a244c8f7a80de5e47516

SHA512
7ead97237017b627f4140eed5381ed2b15656632d7f2b0a27dfdc70f45b47604dbc71eeeb4f354f96b30a89bcc0b07e7e2851965f5c89cf58572a9cc14567ec0

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.3MB

MD5
97f28fc0ad22bd6edb9ab6ef96ded82e

SHA1
fb2797eb0c08c440e0d8dd5c076eb4833f86ce1f

SHA256
e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165

SHA512
0ca7a767bce16c793115036d14a108afc992b2c7418e47885aa5fb710239e97a7cbf35e85a46f8966b9bb48b26eb466439f933d9e1f165dc7530a4741b7c81fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1g4.0.bat

Filesize
176B

MD5
2322acd051848b974510f53b601aad7f

SHA1
e0df311c932b150a5f9aaec26dfea328bcfb40a8

SHA256
fb3bf43adb05c55ce9149c808224ef66d520e7de55cbc47073ffb2fee0d8ef18

SHA512
4de0009f0eaaf80b4d329d7e49dab7c7e037ed32718012b4072e3634b69f53dd9dffd161bb852656f49e62185c3b25b9a969a143d97e3d81b5d25ca9583ba9b3

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
64KB

MD5
41448230e15cfe150c808252262fb935

SHA1
84e3be69f45e1b87cd7325d5cb3866f5844fd89e

SHA256
b7f05cfe471e4b434135f77b703740eb6d8bc76cc53044b80dbeaed56df61887

SHA512
a86d0a1c4563816aabbbd8eb3fffa15fb4a97c0428f4071ec14c1235efe75d73f6b9c796016bb4f76245bf168fb14da0de4819a0a17ed0b617b638f899af126e

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
1.4MB

MD5
456be1b8d1cec9db6daf7ccfe3a0e6a5

SHA1
48761e22f7b43583b711e193f7eecf6920ddcf41

SHA256
4a016954fcb5df6a809c333ceacecf58d414b5ff4a7bf0dbeb6d527793636de1

SHA512
30a29def42be5916cdd422307efabddcc00ddb4c646dbe0359cabb6f1c473196bbd5a11de82edc250c8fce33981d4fd05fccfef0487773b099649cc995d9613a

Download Submit
memory/760-67-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/760-62-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/776-38-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/776-43-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/1660-59-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/1660-54-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/1876-0-0x0000000000F10000-0x0000000001915000-memory.dmp

Filesize
10.0MB

Download
memory/1876-5-0x0000000000F10000-0x0000000001915000-memory.dmp

Filesize
10.0MB

Download
memory/2676-51-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/2676-46-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/2712-27-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/2712-22-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/2948-35-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download
memory/2948-30-0x00000000010F0000-0x0000000001AF5000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads