26adec574d89e8f68e0d413155917a7348f80ebaa9e63a26945169c61280fad7

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47d69deb361f37818ab99cd4ba85d0c3.exe
Size

162KB
MD5

47d69deb361f37818ab99cd4ba85d0c3
SHA1

d8165b6732d6f726c60ea9dcc87c70382100aa1e
SHA256

26adec574d89e8f68e0d413155917a7348f80ebaa9e63a26945169c61280fad7
SHA512

f0a1f8a4ae261afbfcd535a326010294be39fca2eab62dd994dea6bec0cee3a249188c2c7cdaaa8847138afe49154a5260cadbc318bd7dbc76d7ea9ca87eb34f
SSDEEP

1536:atqTQMx4H5izeIBBTGr4MuseQ4TpeZ4u1E5EqE/JxG:bJxaRkN3seTTpdu5JxG

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	47d69deb361f37818ab99cd4ba85d0c3.exe
2232	47d69deb361f37818ab99cd4ba85d0c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2552	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	28
PID 2232 wrote to memory of 2552	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	28
PID 2232 wrote to memory of 2552	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	28
PID 2232 wrote to memory of 2552	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	28
PID 2232 wrote to memory of 2380	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	31
PID 2232 wrote to memory of 2380	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	31
PID 2232 wrote to memory of 2380	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	31
PID 2232 wrote to memory of 2380	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	31
PID 2232 wrote to memory of 2864	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	32
PID 2232 wrote to memory of 2864	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	32
PID 2232 wrote to memory of 2864	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	32
PID 2232 wrote to memory of 2864	2232	47d69deb361f37818ab99cd4ba85d0c3.exe	32
PID 2864 wrote to memory of 2608	2864	lsass.exe	33
PID 2864 wrote to memory of 2608	2864	lsass.exe	33
PID 2864 wrote to memory of 2608	2864	lsass.exe	33
PID 2864 wrote to memory of 2608	2864	lsass.exe	33

C:\Users\Admin\AppData\Local\Temp\47d69deb361f37818ab99cd4ba85d0c3.exe
"C:\Users\Admin\AppData\Local\Temp\47d69deb361f37818ab99cd4ba85d0c3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\47d69deb361f37818ab99cd4ba85d0c3.exe" "C:\temp8661.tmp"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\47d69deb361f37818ab99cd4ba85d0c3.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Drops startup file
  PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe" "C:\temp3945.tmp"
    3⤵
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-18-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2864-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download