ebb903ae83929843d5e57d6c62a65b943692528b0d497f182c2715d235d970f1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d56798acd7663e6c2e9fce019cc7082.exe
Size

23KB
MD5

3d56798acd7663e6c2e9fce019cc7082
SHA1

8e1ea743b4a66ebadedff458b75c37f63124af6c
SHA256

ebb903ae83929843d5e57d6c62a65b943692528b0d497f182c2715d235d970f1
SHA512

e6cf9189fb6f4fc25114a72f1e4f5d887864c63b1c709160cc98b1bd818e1db7fbac7cb49bd12e16c10bf8f7999b24b21efa189adc5e7fe3853eec14aff22890
SSDEEP

384:l/KN6wD5pzAUz0k8vsXdpVmw3aon7D5k0tSY5j2y4spR:Kp5mUQ0XdpV5ag76wSA2y4s

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2252	3d56798acd7663e6c2e9fce019cc7082.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nskhelper2.sys	3d56798acd7663e6c2e9fce019cc7082.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2252	3d56798acd7663e6c2e9fce019cc7082.exe
2252	3d56798acd7663e6c2e9fce019cc7082.exe
2252	3d56798acd7663e6c2e9fce019cc7082.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1412	2252	3d56798acd7663e6c2e9fce019cc7082.exe	28
PID 2252 wrote to memory of 1412	2252	3d56798acd7663e6c2e9fce019cc7082.exe	28
PID 2252 wrote to memory of 1412	2252	3d56798acd7663e6c2e9fce019cc7082.exe	28
PID 2252 wrote to memory of 1412	2252	3d56798acd7663e6c2e9fce019cc7082.exe	28
PID 2252 wrote to memory of 2696	2252	3d56798acd7663e6c2e9fce019cc7082.exe	29
PID 2252 wrote to memory of 2696	2252	3d56798acd7663e6c2e9fce019cc7082.exe	29
PID 2252 wrote to memory of 2696	2252	3d56798acd7663e6c2e9fce019cc7082.exe	29
PID 2252 wrote to memory of 2696	2252	3d56798acd7663e6c2e9fce019cc7082.exe	29

C:\Users\Admin\AppData\Local\Temp\3d56798acd7663e6c2e9fce019cc7082.exe
"C:\Users\Admin\AppData\Local\Temp\3d56798acd7663e6c2e9fce019cc7082.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259406902.bat" "
  2⤵
  - Deletes itself
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259406902.bat

Filesize
241B

MD5
e5d06643ae88c925bbd1870e7eda820d

SHA1
ec02af9d7468c0ded232721b78d52da75e373767

SHA256
7b9633fa83faa1734db18a78da3f04cbc962d8e09457c77bacdeba5a120564ab

SHA512
05cb6141ecc5d12117ddc401b9d9c10176874f70103af2d5cacb19190566199f2349d413dd95e18b885451faa5fcbcf75b27bcf3f076c6bde4c4ac865bedc762

Download Submit
\Users\Admin\AppData\Local\Temp\dll844.dll

Filesize
41KB

MD5
c63e9b4358bf385202e6b58f7891b2c2

SHA1
fe248d3c9cae7580e06d8285a09f75a957e7bca0

SHA256
f996b1f6c9fca4d5d380d269a4d593dde3d51f7af227a1419acf7d8c3b5ea48c

SHA512
2f562d1339564c3028adbe5b29206e91d7da1a8b6822cf5bd1f5cbf1c8c9a9a968d08c846d887334e09b250dd2e389e042deb098c8dffd40b5665576d3ff4bd8

Download Submit
memory/2252-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download