6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623

Analysis

max time kernel
295s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe
Size

5.3MB
MD5

2dbca579d5438924eb64d303a51212ee
SHA1

3a02566cdca7a91a0b93ea2280848ec019680dc4
SHA256

6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623
SHA512

6a380d02994a6a20f3acbd9de4440b9b0c21ba88fc71ca65e6ff0303f90fc6b3c5d94bd49ad5fbae7c1152d0ef9820a8278e78f602ac35fead601acc4071ed85
SSDEEP

98304:+UuycPKVtL240Nh23rpNk6jFqgBLdxEfSs4pC4uflHGz0EF1MorDWqcwIftwQAW+:+UuyxZ2400sIqgVdOSs4wH9GIGOoXLOM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2720	XRJNZC.exe
3028	XRJNZC.exe
2952	XRJNZC.exe
2420	XRJNZC.exe
1628	XRJNZC.exe
2404	XRJNZC.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2732	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2796	timeout.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2712	1868	6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe	30
PID 1868 wrote to memory of 2712	1868	6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe	30
PID 1868 wrote to memory of 2712	1868	6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe	30
PID 1868 wrote to memory of 2712	1868	6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe	30
PID 2712 wrote to memory of 2796	2712	cmd.exe	29
PID 2712 wrote to memory of 2796	2712	cmd.exe	29
PID 2712 wrote to memory of 2796	2712	cmd.exe	29
PID 2712 wrote to memory of 2796	2712	cmd.exe	29
PID 2712 wrote to memory of 2720	2712	cmd.exe	31
PID 2712 wrote to memory of 2720	2712	cmd.exe	31
PID 2712 wrote to memory of 2720	2712	cmd.exe	31
PID 2712 wrote to memory of 2720	2712	cmd.exe	31
PID 2720 wrote to memory of 2732	2720	XRJNZC.exe	33
PID 2720 wrote to memory of 2732	2720	XRJNZC.exe	33
PID 2720 wrote to memory of 2732	2720	XRJNZC.exe	33
PID 2720 wrote to memory of 2732	2720	XRJNZC.exe	33
PID 1180 wrote to memory of 3028	1180	taskeng.exe	37
PID 1180 wrote to memory of 3028	1180	taskeng.exe	37
PID 1180 wrote to memory of 3028	1180	taskeng.exe	37
PID 1180 wrote to memory of 3028	1180	taskeng.exe	37
PID 1180 wrote to memory of 2952	1180	taskeng.exe	38
PID 1180 wrote to memory of 2952	1180	taskeng.exe	38
PID 1180 wrote to memory of 2952	1180	taskeng.exe	38
PID 1180 wrote to memory of 2952	1180	taskeng.exe	38
PID 1180 wrote to memory of 2420	1180	taskeng.exe	39
PID 1180 wrote to memory of 2420	1180	taskeng.exe	39
PID 1180 wrote to memory of 2420	1180	taskeng.exe	39
PID 1180 wrote to memory of 2420	1180	taskeng.exe	39
PID 1180 wrote to memory of 1628	1180	taskeng.exe	40
PID 1180 wrote to memory of 1628	1180	taskeng.exe	40
PID 1180 wrote to memory of 1628	1180	taskeng.exe	40
PID 1180 wrote to memory of 1628	1180	taskeng.exe	40
PID 1180 wrote to memory of 2404	1180	taskeng.exe	41
PID 1180 wrote to memory of 2404	1180	taskeng.exe	41
PID 1180 wrote to memory of 2404	1180	taskeng.exe	41
PID 1180 wrote to memory of 2404	1180	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe
"C:\Users\Admin\AppData\Local\Temp\6d037779c2fc7194e31211c125d34c62cf379746c99ba315d6f183bfcb393623.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1fw.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {3203A703-DA99-4B29-A5D8-3B4E8C1B2FC0} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
1KB

MD5
295c32e13d4c67fa7e7b1948dc38cab5

SHA1
711b1c77ad510b290f9d2c03b921c4a9c46250bd

SHA256
a66658ce0b9f5f20303fe17e4340a7f1c47adda510641d471aa16bf40dd78c14

SHA512
9e51a58459e8745121dc6dfefde7d1fd2755c5c3b75d48086c9c2675231df08fbe193c7648c546701fede983161a71aca544905f90a15333c08b9dfca4ab8246

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
2KB

MD5
4f1881c988bd45919c5090dbf8fc4ca2

SHA1
36141e6f408a4f68ad8caf0aa266ca650df7e55a

SHA256
5064c8c73e797c8692e5e3e6065d53fad2c98daa46e99f5a5b214d3e3b7d6942

SHA512
d7434ebbde3a7aa22e1f6fc4f3358929092ccd7e3a980fb774643f39138a9fe260e2018ac0c19fbb07f4fe39f54a24d742578f5b402dbf8785133e58580dc4bf

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
41KB

MD5
e3a3b068b351a45335723d2a32dfc41a

SHA1
2ad4a6c6ca962d3d66ca15c86880e95899a2cceb

SHA256
45558c1535575db091b73430af3de1e4583265f135ec7ae46a5636dba7c62ae5

SHA512
c613f7cb2327138316852b7d4d0d24b0fddbd1384c210dee0e8f8b0136aba7d560999f9b7a949af511e55f3f83d9565e9a76f0e8c6c527fcba768d1d57064404

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
21KB

MD5
c9cbb8e5dd77ce8bda63737d268c0499

SHA1
09aa4453b75e46fb6e6be754ae6bd8db5fe9efc7

SHA256
1398af05e48efc3f29f459f4c9a257cf6a340f3d4d4830aab012d9736720a08b

SHA512
12a32ed55b64b7eaef8279069d2da8d7601e1fdbd1f893499575438b05618d48c6e186e723f7d2c243f80f135614710c7e88390dae55912fd82641aa06692256

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
13KB

MD5
c46830f0207d8d753809ff11dacfc679

SHA1
017062b87732c863fcdcb322de378c7ea5f6a597

SHA256
38ec9f7e55766af4d2a9e52ea927fcfc68bd549e58eb0121eb36f378a9ea1dbb

SHA512
65df452567ac4c5e5e10f8fae106e82d121a501937e8def979502923354b1d94200cce06c0465938a316ceea64333e818a4ebccfd5ce64098e06c9b6aa0e724a

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
76KB

MD5
9c37c7a63ee7610ab4bba916ce33ba00

SHA1
a04147c8862ee9946d2a737803cf5a404fc917d4

SHA256
69a549970b3a580b8f5a245bb4d40462e3eb5db27a744cdc75ec47dcf1806bb8

SHA512
a04959b353f0a51da098e5f0d1cfe2a1e3271f7c5825f74ef42c869f7de0b58402e0b6daca019083f0b6da8389028017e459dec1d4ac78d697a75d7375314427

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1fw.0.bat

Filesize
176B

MD5
4f7cd54d28246f8b05dccbdc681f3d61

SHA1
beef9c557cfc71764d68cae87609ff4287c52453

SHA256
1d86949fd4061264b12bce236e9a1fcd833209a41fc49e45ff17b583e4cfbcb1

SHA512
ca3352c8578d473350bf6c8f4e4fbcc56f4b5a04303293dae3153c39e61ec89e4966125fc30df3608c0110a014633e41cc9a5592502fe65b9ecc9dc6113e579a

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
8KB

MD5
0ee62b3d2952d3583ed349f780478e89

SHA1
a1afd32a082ce153f8c7d63c7b470fd2a852a1c5

SHA256
1b671adef98a52bc0dfdf93ce85b6b893dfddb9323df89037546103599518f11

SHA512
0a46be7c2fe4b1c26a95d43c04ed3c3bdea214d92e9dfcd8ccedffbc86e03ddb478b3453d48a88cce9f0fb3e513ed7f39229847b14c0b2770557e0c206ef3696

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
5KB

MD5
15ed23c9cc12f4d73807cce5a93c12cc

SHA1
e976c36068c7f408540d18de338a0b35433d261f

SHA256
d27cb979b916bb1c96b7ad8171de47382d3779ee7d435539e9dc311be4d7c6fc

SHA512
5441801d9acef0c2997f77ab3f9114960f8ba293cb64b1bbb62bfa9283f66366ca9c09f7136e0116105ef4919a35176f0bbc7e69a305f7139cdd8d79625db4d7

Download Submit
memory/1628-59-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/1628-54-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/1868-5-0x0000000000370000-0x0000000000D63000-memory.dmp

Filesize
9.9MB

Download
memory/1868-0-0x0000000000370000-0x0000000000D63000-memory.dmp

Filesize
9.9MB

Download
memory/2404-67-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2404-62-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2420-46-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2420-51-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2720-27-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2720-22-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2952-43-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/2952-38-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/3028-35-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download
memory/3028-30-0x0000000000B20000-0x0000000001513000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads