e2aada4f8c14f09c18977e9bba42233d7cc7575502b379a4f95701658907c962

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7512aeaabc9121acae31ab38edb2ba61.exe
Size

11KB
MD5

7512aeaabc9121acae31ab38edb2ba61
SHA1

f4a053c6de78f4aea3ecc3ec7e75e5946ffe932f
SHA256

e2aada4f8c14f09c18977e9bba42233d7cc7575502b379a4f95701658907c962
SHA512

770e0f4d6f4d4a60aa3b53d040e89c195da89c50c48d097bc6f46931d3a596214d21d7cd5e8038ceb245015f6208c5917c8a70053341102cb9a3fcdaa4ab0675
SSDEEP

192:nwh85gw7e+gUpY/fFaNJhLkwcud2DH9VwGfctAphgpNfFUJ/j:whA5e+gUp2aNJawcudoD7Uk6z9U1j

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

b2e.exe

pid process

3024 b2e.exe
Loads dropped DLL 2 IoCs

Processes:

7512aeaabc9121acae31ab38edb2ba61.exe

pid process

2668 7512aeaabc9121acae31ab38edb2ba61.exe
2668 7512aeaabc9121acae31ab38edb2ba61.exe

pid	process
3024	b2e.exe

pid	process
2668	7512aeaabc9121acae31ab38edb2ba61.exe
2668	7512aeaabc9121acae31ab38edb2ba61.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2668-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7512aeaabc9121acae31ab38edb2ba61.exeb2e.exe

description	pid	process	target process
PID 2668 wrote to memory of 3024	2668	7512aeaabc9121acae31ab38edb2ba61.exe	b2e.exe
PID 2668 wrote to memory of 3024	2668	7512aeaabc9121acae31ab38edb2ba61.exe	b2e.exe
PID 2668 wrote to memory of 3024	2668	7512aeaabc9121acae31ab38edb2ba61.exe	b2e.exe
PID 2668 wrote to memory of 3024	2668	7512aeaabc9121acae31ab38edb2ba61.exe	b2e.exe
PID 3024 wrote to memory of 2700	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2700	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2700	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2700	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2040	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2040	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2040	3024	b2e.exe	cmd.exe
PID 3024 wrote to memory of 2040	3024	b2e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe
"C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\535E.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\535E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\535E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\7512aeaabc9121acae31ab38edb2ba61.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5522.tmp\batfile.bat" "
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
3⤵
PID:2040

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5522.tmp\batfile.bat
Filesize
31B

MD5
c06882e5d200a2a75e39caff89d6ad4b

SHA1
9fed645a3c3bef5b534411a6bd5ba7ebd1183069

SHA256
8eae027d2b667cbcffb280231a9ad4fa62c66f7a2497a09a2d1353834e736987

SHA512
61881e005e802a8ad57a784087ba078773bd99e3475d3f058706747c020de67a692440227166f7a04d5e1660a49dfecd854d5ed58d89c1805897438536306e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
Filesize
158B

MD5
bb00ae56b7ef19edffdf2d4e4a19cd1d

SHA1
34dab6d2fbbdf8886ce00c5300e5b9a1b3b411c1

SHA256
8ccabb5d88abf4b7f44c61d531fe3e5d6c46a02659fa9d171b0ce774d255611d

SHA512
847584f025761a01fa51f96944ca99dff093bb9bf11ebdf545911be0c3ff407d192f887e89e5cafca726d5c21a4b55242cf7240452f940237d1b30fab7a339cc

Download Submit
\Users\Admin\AppData\Local\Temp\535E.tmp\b2e.exe
Filesize
8KB

MD5
7cca02cab1740a2cde4f19401d90b761

SHA1
211aedb45f6285b80b99ac2ab0997ab44c68beed

SHA256
a3c2d58306e634011046cc19f0b26fefd3bb378c4c66d1f8d2df2937eeeeee33

SHA512
6ba424faa5ca129382c0d179dbbb6d45ce28010d8936911b506a16afe1af433c289a5df361a83a50f1e0b470fbae037809416a45f097317a04227cfd49de5ff4

Download Submit
memory/2668-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2668-4-0x0000000002570000-0x0000000002575000-memory.dmp

Filesize
20KB

Download
memory/2668-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3024-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3024-37-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download