df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942

Analysis

max time kernel
294s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe
Size

5.3MB
MD5

39e32d837675e3e6b6c91f53e9d83416
SHA1

cfce02330065e0660d47bc35c577d56b79a4a45d
SHA256

df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942
SHA512

0a9096ec243ad0b27c07ff48dafd5dbd90d94a44774c27bc1251270b216cded254489498bb8fc90b9a21edd04805137a31fcdd688f1083d23653ad749029811c
SSDEEP

98304:8aDQcPKHyi8lyJjrpij1onXLynPheXgQeWF4pTttT1+Z0wVpDUw8Gx6GjYuOd7Sj:nZWyHgJJij1WOPwXgQe4KRwVpAJbGcuP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2812	XRJNZC.exe
2952	XRJNZC.exe
564	XRJNZC.exe
2384	XRJNZC.exe
760	XRJNZC.exe
880	XRJNZC.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2848	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2220	timeout.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2328	3044	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	28
PID 3044 wrote to memory of 2328	3044	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	28
PID 3044 wrote to memory of 2328	3044	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	28
PID 3044 wrote to memory of 2328	3044	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	28
PID 2328 wrote to memory of 2220	2328	cmd.exe	30
PID 2328 wrote to memory of 2220	2328	cmd.exe	30
PID 2328 wrote to memory of 2220	2328	cmd.exe	30
PID 2328 wrote to memory of 2220	2328	cmd.exe	30
PID 2328 wrote to memory of 2812	2328	cmd.exe	31
PID 2328 wrote to memory of 2812	2328	cmd.exe	31
PID 2328 wrote to memory of 2812	2328	cmd.exe	31
PID 2328 wrote to memory of 2812	2328	cmd.exe	31
PID 2812 wrote to memory of 2848	2812	XRJNZC.exe	33
PID 2812 wrote to memory of 2848	2812	XRJNZC.exe	33
PID 2812 wrote to memory of 2848	2812	XRJNZC.exe	33
PID 2812 wrote to memory of 2848	2812	XRJNZC.exe	33
PID 2888 wrote to memory of 2952	2888	taskeng.exe	37
PID 2888 wrote to memory of 2952	2888	taskeng.exe	37
PID 2888 wrote to memory of 2952	2888	taskeng.exe	37
PID 2888 wrote to memory of 2952	2888	taskeng.exe	37
PID 2888 wrote to memory of 564	2888	taskeng.exe	38
PID 2888 wrote to memory of 564	2888	taskeng.exe	38
PID 2888 wrote to memory of 564	2888	taskeng.exe	38
PID 2888 wrote to memory of 564	2888	taskeng.exe	38
PID 2888 wrote to memory of 2384	2888	taskeng.exe	39
PID 2888 wrote to memory of 2384	2888	taskeng.exe	39
PID 2888 wrote to memory of 2384	2888	taskeng.exe	39
PID 2888 wrote to memory of 2384	2888	taskeng.exe	39
PID 2888 wrote to memory of 760	2888	taskeng.exe	40
PID 2888 wrote to memory of 760	2888	taskeng.exe	40
PID 2888 wrote to memory of 760	2888	taskeng.exe	40
PID 2888 wrote to memory of 760	2888	taskeng.exe	40
PID 2888 wrote to memory of 880	2888	taskeng.exe	41
PID 2888 wrote to memory of 880	2888	taskeng.exe	41
PID 2888 wrote to memory of 880	2888	taskeng.exe	41
PID 2888 wrote to memory of 880	2888	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe
"C:\Users\Admin\AppData\Local\Temp\df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s2ck.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2220
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2848

C:\Windows\system32\taskeng.exe
taskeng.exe {B004ACCD-20AE-4491-A16B-4E6EF0C99A7A} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
402KB

MD5
a3c49e08e9a20450d9e9dcfa73fa774a

SHA1
38383b2e99067c5b858cd06377ddf957f03ea3cc

SHA256
0074ec73a5ab1f899929c42954e58d5352e420dd9cc0f3bcfa14d71a320bc709

SHA512
9afe0249192efeb4031bf25d2dd78008c74c1827b2a66c560d5d8b42a118bfa5530a19d48726185190f8281a8e90695aa45d1c3b92d526b8cc392ea08269f1cd

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
782KB

MD5
04d1e632b11d81ef572da643207e6230

SHA1
db5059930b8484e2e36a6a888e96dba9309f0bcd

SHA256
8145e9b8e8b5fa4bc5893c081e3e25ab2746b3f62d4db3f664254d24d4e17903

SHA512
8f53f681da54d8f27d8fc79283a5a1349599ffd7e193e8fc3ffe7068949035c78f6d082b014a4b47d931c99e30fc4a28a815f87d6f23b69784592ff298d9c77e

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.3MB

MD5
39e32d837675e3e6b6c91f53e9d83416

SHA1
cfce02330065e0660d47bc35c577d56b79a4a45d

SHA256
df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942

SHA512
0a9096ec243ad0b27c07ff48dafd5dbd90d94a44774c27bc1251270b216cded254489498bb8fc90b9a21edd04805137a31fcdd688f1083d23653ad749029811c

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
4.3MB

MD5
f53a25bc566b55b1f6aab1c7759dfd3f

SHA1
aed9e3e9844db480edb583843e3da2a149cc1b13

SHA256
21755f6e26b5102c3c681f43a9a18c32279373a5bc441da309d37a279530a999

SHA512
15a8507b14cb7675ce3f0724d6a435e65f5ae6d4bf46a8f85fd5cdc9619556d8064abdf2980e44db52d74df15db7c5a13321a4a6a8e818474f71ac1811bd0d32

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.2MB

MD5
9942fd1761b079882e0078a781dea269

SHA1
a7cf94c33ad3f14245a665ab7e29dfe7f4af3115

SHA256
3a5670ac9d2ae3ce410efdba329b1d85ff883589ac009831ccc91dc840c06b61

SHA512
94f1078e70f79509c251a1ea707f4be3b81245f0c45b000977ff6467b65df98041a7424877d74fb9582e9246d2b832c39f6f711a985158940fa65c3267a48ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2ck.0.bat

Filesize
176B

MD5
665f9ebd31306efa4bd081a9a6367764

SHA1
d00c01306dd6f7a1fff86f4c580b0a654c6be4ad

SHA256
a8f8ad93749bf739aafd758f5330e90b35b57a856b01e0d9e22c4902a3e0d412

SHA512
c6e74cc4edd39bcb36cbad4b6482767bb231f93e9145c7193303b52a4f5edce88061de4cb01d232f329a08edea3fe76a8c374b5f1a2e5a81e4c1b9a025bd8314

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
613KB

MD5
91412e9a5b26bacbe3b3a3767622e8f9

SHA1
819ccfe247fc9ef268c7afd8ad134ddbd48e5695

SHA256
45ca86ddcf4b7f9b9c7c2e86205e740cfa423b293d7ac34e8d54548d3e2c244b

SHA512
e6aa489290b86768b0a8045e27a2be59b91076c31468670e6cab7f284967cd80686106e169aa6e9b3cf599e17bb12c9cffeea76e6a48a55867dd1c2d32b1b626

Download Submit
memory/564-42-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/564-37-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/760-53-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/760-58-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/880-61-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/880-66-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2384-50-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2384-45-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2812-26-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2812-21-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2952-34-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/2952-29-0x0000000000BD0000-0x000000000164C000-memory.dmp

Filesize
10.5MB

Download
memory/3044-0-0x0000000000F40000-0x00000000019BC000-memory.dmp

Filesize
10.5MB

Download
memory/3044-5-0x0000000000F40000-0x00000000019BC000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads