5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db45d73a819ddadeb2b2967e16bfead.exe
Size

1014KB
MD5

3db45d73a819ddadeb2b2967e16bfead
SHA1

0ed78d4d84e59020b1a7eb88799fb04290820be7
SHA256

5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1
SHA512

4ca7d268b938af3d93c5183d470fbce7d75cba85833c1b3e95b1ff5f863cc5fe991be8fb811f3b2ba6bc3e258f4d1488104df70bdc5ef972ac5a4ae41a75cc76
SSDEEP

12288:ZGYq6z7lPngsxhwrZ4vZyf5RFlYlBXSR6jJimvyAcAbK0p8FdoS:0H+BYsx6ruvCTCBXSYjcmNcAC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2332	UpdateOffice.exe
2836	UpdateOffice.exe

Loads dropped DLL 10 IoCs

pid	Process
2548	cmd.exe
2332	UpdateOffice.exe
2332	UpdateOffice.exe
2332	UpdateOffice.exe
2332	UpdateOffice.exe
2332	UpdateOffice.exe
2836	UpdateOffice.exe
2836	UpdateOffice.exe
2836	UpdateOffice.exe
2836	UpdateOffice.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1152-12-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/files/0x000d00000001233d-14.dat	upx
behavioral1/memory/2548-19-0x0000000002380000-0x000000000247F000-memory.dmp	upx
behavioral1/files/0x0008000000015654-26.dat	upx
behavioral1/files/0x0008000000015654-25.dat	upx
behavioral1/files/0x0008000000015654-24.dat	upx
behavioral1/memory/2332-23-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2332-32-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2836-355-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2836-356-0x0000000000B00000-0x0000000000BFF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1600	PING.EXE
2916	PING.EXE
2236	PING.EXE
1592	PING.EXE
2580	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2548	1152	3db45d73a819ddadeb2b2967e16bfead.exe	28
PID 1152 wrote to memory of 2548	1152	3db45d73a819ddadeb2b2967e16bfead.exe	28
PID 1152 wrote to memory of 2548	1152	3db45d73a819ddadeb2b2967e16bfead.exe	28
PID 1152 wrote to memory of 2548	1152	3db45d73a819ddadeb2b2967e16bfead.exe	28
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2548 wrote to memory of 2332	2548	cmd.exe	31
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2332 wrote to memory of 2836	2332	UpdateOffice.exe	30
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2836 wrote to memory of 2020	2836	UpdateOffice.exe	32
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2020 wrote to memory of 1600	2020	cmd.exe	34
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2836 wrote to memory of 2868	2836	UpdateOffice.exe	35
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2868 wrote to memory of 2916	2868	cmd.exe	37
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2836 wrote to memory of 2584	2836	UpdateOffice.exe	40
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2584 wrote to memory of 2236	2584	cmd.exe	42
PID 2836 wrote to memory of 2884	2836	UpdateOffice.exe	43
PID 2836 wrote to memory of 2884	2836	UpdateOffice.exe	43
PID 2836 wrote to memory of 2884	2836	UpdateOffice.exe	43
PID 2836 wrote to memory of 2884	2836	UpdateOffice.exe	43

C:\Users\Admin\AppData\Local\Temp\3db45d73a819ddadeb2b2967e16bfead.exe
"C:\Users\Admin\AppData\Local\Temp\3db45d73a819ddadeb2b2967e16bfead.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\100.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2332

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UpdateOffice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UpdateOffice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\PING.EXE
    ping www.majakil.in
    3⤵
    - Runs ping.exe
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\PING.EXE
    ping www.majakil.in
    3⤵
    - Runs ping.exe
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\PING.EXE
    ping www.majakil.in
    3⤵
    - Runs ping.exe
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\PING.EXE
    ping www.majakil.in
    3⤵
    - Runs ping.exe
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\PING.EXE
    ping www.majakil.in
    3⤵
    - Runs ping.exe
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\100.bat

Filesize
389B

MD5
655fa5cc0d70e812418b181ffdb126d3

SHA1
6c0dedb7e45a0c6abe958af877e298d7646c6b74

SHA256
02a5f19f2197b26eed1c40a802986f05ea9cb06eacf425cb8c7916ad9de6ffad

SHA512
8fd8a1a5c47c3022817ece2423413cc5c5167472b72d15a1257c631b3201d69725aac4438bf8fd4977072fa02bd55de8ec92270b44f9e261049590eae830d6a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\UPDATE~1.EXE.pkxm

Filesize
87B

MD5
d211d6552340acb37dac80bdb968384b

SHA1
f331d54bfa937956426c9b69027d6b9766b474f7

SHA256
5ab9b205c4e3e52faa21b61e299e41a7aa4b5324604b1ed4622cd3eef7806603

SHA512
848fa2c4f35ba0b79db2e3a66d2641b2a319d71dfc58294e7e7c3c26133aaecfb790444527c132b2e41af20233af65b9c4e47598bcb168c42330cef73e3ec1f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\UpdateOffice.exe

Filesize
1014KB

MD5
3db45d73a819ddadeb2b2967e16bfead

SHA1
0ed78d4d84e59020b1a7eb88799fb04290820be7

SHA256
5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1

SHA512
4ca7d268b938af3d93c5183d470fbce7d75cba85833c1b3e95b1ff5f863cc5fe991be8fb811f3b2ba6bc3e258f4d1488104df70bdc5ef972ac5a4ae41a75cc76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat

Filesize
95B

MD5
e0269d57c870eb781220d0b7366bbfc5

SHA1
e2969a44523f9d4ba03cd46d9740f28eddecedd6

SHA256
cfe7ac6175017509af1a755ae08753a62c5f2ddf32a798dc067a095835deba9b

SHA512
a796a2cc4aa62255efa40c221f44948903548f4abc432213f6e5569091b3293120ce57dc709e8f2b613b8e91886a64c96f84dfce21e2199159426c1b3d0b5576

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe

Filesize
877KB

MD5
0fc7ad3ab38e3e09b2e028cdafac313a

SHA1
40cc8c337da52b26f04e6831f0ee571c103d4ecb

SHA256
40dd0c4aed6419096b3d38ec28dfebfaaa3b6a3b935b08b2a6624c326f179b61

SHA512
b48632b5d952fd428873a9f1a17f463e23906b705c077e1562e05441c7d612ebdb0dddfee2b845be6a9111202edcc2b7dc87d9e7f359cc4207b24dc8e8f20269

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe

Filesize
381KB

MD5
23cd5e7b22db3f0a80a7b33102e13ccd

SHA1
201cec03e01ae335dc27a8668a1f1c7b749802bc

SHA256
f62e8c80bbffd63faacde4631ee0ddc6737695c9ab3be3ee34d2234ccb465f49

SHA512
4add48514c38c29d9d898c0b13ff8b56f4d84afda867c53fe04458b18630082b8659c59c24086d939052a253f1b088f865c923b8d5eb62fa557fccabeb3cf62d

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe

Filesize
92KB

MD5
2f38ef149b94b83d290c5bdcbd67c75b

SHA1
81dbbf34d296a06247d49374316ad7fa51e5d959

SHA256
fe1394ed05ba9c7aefa19a5c2c05065432b5e9989ad2b7ddd5ce47c8e4d9253e

SHA512
07d85d764d02285a161effa0623df6729de71b8182207c4799c915e3472fd50bb590af25e2fac5346f7f45a57cea9f28dec9327d11742b9bdd3ac6aed3f43360

Download Submit
memory/1152-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1152-6-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/1152-12-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1152-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2332-23-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2332-32-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2332-27-0x0000000000AD0000-0x0000000000BCF000-memory.dmp

Filesize
1020KB

Download
memory/2332-29-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2548-36-0x0000000002380000-0x000000000247F000-memory.dmp

Filesize
1020KB

Download
memory/2548-19-0x0000000002380000-0x000000000247F000-memory.dmp

Filesize
1020KB

Download
memory/2836-352-0x0000000003570000-0x0000000003580000-memory.dmp

Filesize
64KB

Download
memory/2836-355-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2836-356-0x0000000000B00000-0x0000000000BFF000-memory.dmp

Filesize
1020KB

Download
memory/2836-357-0x0000000003570000-0x0000000003580000-memory.dmp

Filesize
64KB

Download