545973de41aaeec424949975a6477ec58259be8c5d4b41ab57a9f5184cd367db

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-01-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c48416137b42e268fa414ca3e5223f0.exe
Size

4.2MB
MD5

5c48416137b42e268fa414ca3e5223f0
SHA1

b4479ec4a7c02bff1f9f1431edb38cebc1ac1092
SHA256

545973de41aaeec424949975a6477ec58259be8c5d4b41ab57a9f5184cd367db
SHA512

c17b53a35d6f802ae5044b966567177dd8c9dde9b3e64656b90280071cc06228f75fd77e96caad023049070a07948e9983664b2113ae3a8c84bcdb8069e34f6d
SSDEEP

98304:1eMwdPjC59yJ7dECQ4J1rRf9n96EXKoIrDuL1H8d:rmPjSUf9n97XKCa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7za.exeSetup.exe

pid process

2616 7za.exe
2612 Setup.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exe

pid process

2888 cmd.exe
2888 cmd.exe
2888 cmd.exe

pid	process
2616	7za.exe
2612	Setup.exe

pid	process
2888	cmd.exe
2888	cmd.exe
2888	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

2612 Setup.exe

pid	process
2612	Setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5c48416137b42e268fa414ca3e5223f0.exeWScript.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2512 wrote to memory of 2752	2512	5c48416137b42e268fa414ca3e5223f0.exe	WScript.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2888	2752	WScript.exe	cmd.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2616	2888	cmd.exe	7za.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe
PID 2888 wrote to memory of 2612	2888	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\5c48416137b42e268fa414ca3e5223f0.exe
"C:\Users\Admin\AppData\Local\Temp\5c48416137b42e268fa414ca3e5223f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\7za.exe
.\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
4⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\Setup.exe
.\Setup.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2612

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe
Filesize
537KB

MD5
dee26c80ec9d629b106f19524e84d704

SHA1
ee563ac48bf78127c0f94bea61618bbfe18b8109

SHA256
33db916eba58c0f5c0a16d88176665f9302ad179eee32c2f3e0e239aefbfddfb

SHA512
72ff64cd076af702926cc4aa4d65a0a67c863435b833bc8423673b64f24f9376ad1855b9b620795bb745219098899a1a2c6ba9f99627041929bcc62bf8636d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAB.jpg
Filesize
37KB

MD5
61992d5995f0020c48f1cf541e044024

SHA1
c4d7069d450b774807735b804edcf76317b6f2b4

SHA256
bb7e2d019add8bebe2cafd5fee397c438a05d3296fe505755a59599c15bbf92d

SHA512
0dafb6b1fd289fb7d5ca954ceeb1c1794cb43f331114e3be8f8ad795c33a003c1962fe254f299e33ecc08e590acec332034881ab8d975f921dc00c76fcd6e728

Download Submit
C:\Users\Admin\AppData\Local\Temp\BANDEAU.jpg
Filesize
21KB

MD5
523c100a6fec6eb73c10a705ba1a232c

SHA1
c6d6246e3a419033e405f057f38dcfec57eae628

SHA256
73347a81d34cee029012392a51fdc62e3dd53eb1a1d0f42b62d0f5080058cd68

SHA512
c4c7b0ea9aeff0dab543bda19862a078abce61fcaa1cf3a6c815dd52af34f31cdfc5042525ef02a908a9ebdb7c734c04a068c9593eaabdcee34d9aef38a2ece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat
Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs
Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOFT.jpg
Filesize
74KB

MD5
a4d795c34867efbba61d84a09156d772

SHA1
672c675792527a3876fa18b1971630965d1a90b6

SHA256
1011c278c03a696d8ca3e7e3e039a6b184b740a57585f4af5bf62ff8d428701a

SHA512
9fa8cbeed832d3ba238e5247a1704cb586b275ac5f4e3dd97115c04a34709b59cbc5611e74558cd9467d12b332c831fbf88fb71bccf0786de5fc35204bd7abd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
754KB

MD5
a9590ed40a7f7430e9502f98ebc86239

SHA1
45b2942570896d664f1b530d9713c1c667dd95af

SHA256
dd025f6e55464a1f9bfbc28994c406c8b7948624ac4fed52edf62f0a857c45e3

SHA512
d031e1516b8f5467d11cb6ff7cc1ee3301c3476aa8e5b957ba553c65457a49f5fd67e87fe2af10b5c83b03e9f40bfdb143a24da2d78419df24cc8973ab447c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z
Filesize
1.5MB

MD5
49332b12b85257db604b537a8904369b

SHA1
6885b8f5c7995aedd0488a97fc7adcc6bf6ccd31

SHA256
09466cd9c387f8d808dd63d1d379ccbb35463767defdbd5e2058d27347f5e63c

SHA512
67be970c86e505b692c79d8af4a80ad31136f59be31a1ba2719c5a72e8753eff3df5a72313b64f6d267872f9c06cd862f872f0065b5d9604013db69d166a9b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini
Filesize
356B

MD5
88120f8c8f57321a91fa1c00b898cba2

SHA1
073af01c61707c810b0336f2d9f37dec3cc175ef

SHA256
6b20e9a25af4c092558f463786f630e27638f1cd44791f6b886c797548ad9adc

SHA512
d5b7955cf9c4b3c1ee0588b7c0453466c0e0b48d4793685ab8e7af3a290b7e66e66f285a3c46ef3762b2a0fa1745abb5f5cdff0895dc47cb2b072e1590dae5a4

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit