b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47

Analysis

max time kernel
5s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
08/01/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe
Size

5.7MB
MD5

b0eb07d6a79d273dcaeec43cb6f10c20
SHA1

b5fc1499ea997d513f4d501d31e47c508a7a17d9
SHA256

b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47
SHA512

f6b26a7037621294968fb9b4c2e4a1ec1c256a19cbe33aff5c3a9ac9de9194ed8080526b425dd851262a90f3351d9911d18d59dfb5d176cb44898e3fa4bb0299
SSDEEP

98304:TGAwYG+73YnFYkY3/SFrKZ0tuljc0wWrqKrMg/jYVSFnf81WzXUJjN2ql/:TGAwYG+TEYt/SgZ0ItvtOKrx/f8IzXUR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3880	XRJNZC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3904	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3572	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe
2704	b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe
3880	XRJNZC.exe
3880	XRJNZC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 396	2704	b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe	28
PID 2704 wrote to memory of 396	2704	b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe	28
PID 2704 wrote to memory of 396	2704	b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe	28
PID 396 wrote to memory of 3572	396	cmd.exe	29
PID 396 wrote to memory of 3572	396	cmd.exe	29
PID 396 wrote to memory of 3572	396	cmd.exe	29
PID 396 wrote to memory of 3880	396	cmd.exe	77
PID 396 wrote to memory of 3880	396	cmd.exe	77
PID 396 wrote to memory of 3880	396	cmd.exe	77
PID 3880 wrote to memory of 3904	3880	XRJNZC.exe	79
PID 3880 wrote to memory of 3904	3880	XRJNZC.exe	79
PID 3880 wrote to memory of 3904	3880	XRJNZC.exe	79

C:\Users\Admin\AppData\Local\Temp\b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe
"C:\Users\Admin\AppData\Local\Temp\b08f002a851d216ea0f372406f94c446c5b8b0a49cf1b0faac5b73d151022a47.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s234.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3572
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:3904

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4748

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:2780

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4780

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
15KB

MD5
910107b17ee30adcc683316e456c79c2

SHA1
aa80f12df45966539154340683ec7a760675bf24

SHA256
a7d8d9e947aecc69b641910eb17f1bcb276f8ce5de827b9b71097b3dcf2e78e2

SHA512
58f3ef49b338f2befd32e1696d9586dab6633b6e7ef7734eeb0194c3a6197377b9e1bbfdab403ab318124eff7a911b840b2406590af5037ef35010602f3d61b6

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
33KB

MD5
f96cecd24c13c13b16172a7b80752a75

SHA1
ca2fca5aa48337e93a2dc86d8c8ec2d9f147012b

SHA256
da1183129542fb4d448660c4d6a0b2398271de884da7cf0f155cd996b3196c80

SHA512
0f7edccb32019fd430463e66add7f0d341d2563f84dcf988184cc6107ce2a55c2fdcc7c4b5e5d6a3148df0e8bdac4269b85a4bbc3fd4eddb2e818574ab5e8d20

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
43KB

MD5
88d3c427834c73fd840907eebf28ecdd

SHA1
aed6099ff000fe8068b1454664d9ccaa650c82b2

SHA256
34ba8f89d39ad669b939a4ff93370e981d4515b172776ad4f0d1f47a97b7d2c4

SHA512
d31df5404f556d64b789ac3c680f75388cae9fe2b8a72cf6111a6d319d81ddb724eedab659b7d93521744ad109941eb282771597c3f9e47d2174249577e56d9c

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
44KB

MD5
0fa3749ea5ee32a1747870848c808fd8

SHA1
af1ff65589a1e8d9f71625156dd6e2b9cc3428c5

SHA256
572f8cc4c815f381ed7360ff3d2a7660c7fde556e8f985a7df8662c35528b8b3

SHA512
56219245dad0b4c08d518da4e103ad822a5899ce4d2da935a4f482422efe45cbe1cb8fad41213e957c8984329554711b8ae6d82523e5b78acc9c97a0a87ba9f5

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
132KB

MD5
5d5b167343899de175bd1d1184036c54

SHA1
3a80c9d7a5f58250c4e1bd3b9d108e46baa13df8

SHA256
c47856b64ba6e016ef8ed2a227a2d210e3009935df0ee4a9f18e1ec59d248dd5

SHA512
49b60a146331f5ca33be1f1c54de4d50ef9c90c95148f26fd2b23d1d8041c48567f5d21cbf356c4cfa9ce971e41717b3bdf635af0dfc849468ce808533e67bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s234.0.bat

Filesize
176B

MD5
ff47648915daa8ae908166b1d79b44c2

SHA1
1329323cb4a7579d17f402d637f8215dcb3a81a2

SHA256
ac283209ff95133f0ebbd4f7cb633b844a1c23d3a2b590ad003bf98ab63afe23

SHA512
44d5e84d3cc2074799b1f9dc224bcf9338d0e081296bf811401f58f4318dfe50ec017e9bca5935b8d93ccb77277dee73f9a30e40922885da558925b3f47b70ad

Download Submit
memory/2704-2-0x0000000000B70000-0x00000000016ED000-memory.dmp

Filesize
11.5MB

Download
memory/2704-3-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2704-21-0x0000000000B70000-0x00000000016ED000-memory.dmp

Filesize
11.5MB

Download
memory/2704-0-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2704-4-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2704-5-0x0000000000B70000-0x00000000016ED000-memory.dmp

Filesize
11.5MB

Download
memory/2704-1-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2704-6-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2704-7-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2704-13-0x0000000000B70000-0x00000000016ED000-memory.dmp

Filesize
11.5MB

Download
memory/2780-72-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/2780-59-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2780-60-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2780-61-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2780-62-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2780-65-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/2780-70-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/2780-63-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2780-58-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/3880-25-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3880-40-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/3880-28-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3880-32-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3880-31-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/3880-30-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3880-29-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3880-27-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/3880-26-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3880-38-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4748-49-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4748-47-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4748-45-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4748-46-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4748-56-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4748-54-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4748-42-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4748-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4748-44-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4780-81-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4780-80-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/4780-79-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/4780-78-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4780-77-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/4780-76-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4780-86-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4780-75-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4780-88-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download
memory/4780-74-0x0000000001070000-0x0000000001BED000-memory.dmp

Filesize
11.5MB

Download