5ccc87a13eed7948136af8712baaa0644c835282251872216862951665adbca6

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76417288fc1663f99329aadfbff35bfa.exe
Size

30KB
MD5

76417288fc1663f99329aadfbff35bfa
SHA1

2a7e5f48c5e88f6e494865533a3f1b80ed54992f
SHA256

5ccc87a13eed7948136af8712baaa0644c835282251872216862951665adbca6
SHA512

d82d5839dc9a4f4d7fa12ef5810ca727866abefb27b57d94975f86fa7e267530a097b2b7e3cf8ab7bc212f783d93fcff4e1c0013f7f7d105c2b3263499dede66
SSDEEP

768:/kGEjHCWG1+4sHPeIIlgw4x5LOi3+jpY/2:/nEjHCW94QPRIlmvMA

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdLoader.lnk	WScript.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2740	2080	76417288fc1663f99329aadfbff35bfa.exe	28
PID 2080 wrote to memory of 2740	2080	76417288fc1663f99329aadfbff35bfa.exe	28
PID 2080 wrote to memory of 2740	2080	76417288fc1663f99329aadfbff35bfa.exe	28
PID 2080 wrote to memory of 2740	2080	76417288fc1663f99329aadfbff35bfa.exe	28
PID 2080 wrote to memory of 5728	2080	76417288fc1663f99329aadfbff35bfa.exe	30
PID 2080 wrote to memory of 5728	2080	76417288fc1663f99329aadfbff35bfa.exe	30
PID 2080 wrote to memory of 5728	2080	76417288fc1663f99329aadfbff35bfa.exe	30
PID 2080 wrote to memory of 5728	2080	76417288fc1663f99329aadfbff35bfa.exe	30
PID 2740 wrote to memory of 5744	2740	cmd.exe	31
PID 2740 wrote to memory of 5744	2740	cmd.exe	31
PID 2740 wrote to memory of 5744	2740	cmd.exe	31
PID 2740 wrote to memory of 5744	2740	cmd.exe	31
PID 5744 wrote to memory of 5764	5744	net.exe	32
PID 5744 wrote to memory of 5764	5744	net.exe	32
PID 5744 wrote to memory of 5764	5744	net.exe	32
PID 5744 wrote to memory of 5764	5744	net.exe	32

C:\Users\Admin\AppData\Local\Temp\76417288fc1663f99329aadfbff35bfa.exe
"C:\Users\Admin\AppData\Local\Temp\76417288fc1663f99329aadfbff35bfa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NET STOP wscsvc && NET STOP sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\net.exe
    NET STOP wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP wscsvc
      4⤵
      PID:5764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jozvs.vbs"
  2⤵
  - Drops startup file
  PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g9sbw

Filesize
166KB

MD5
2dee8ffd5fa8f70a8b700f3624a67884

SHA1
5340fac53d1785455e05ded2f2cdc067523874db

SHA256
2c0879250b9921785933a25e85571d278414fbf4812a8b8c09f8e264bb852cf2

SHA512
b77550a445f85912f072af5f5e2859ef3a79cff4766c6c37237adbc1cf84db9e31841a2e70a987968837bed5bb227e43a09ecfbbb24b8f44f1faa053e785dda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9sbw

Filesize
166KB

MD5
ccbb65aad256decc83b9d3d4ae13aff0

SHA1
f04b879be27ff992030497067f7c03cf9b37c41e

SHA256
fe6a985d33e6f55cbea637120839f8f2cc89a6da3bc1ddb2d0fc68adcfd238c7

SHA512
b823e449fceedb41ad00f5245140be9aed085d3585f3ba5f5969d146af622199c135502364b2ea3e99d0cc692c8caa6bc3246f4938eca3309a9639d6967af9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jozvs.vbs

Filesize
1KB

MD5
af51dccb90b605432f56da67d8e6d09e

SHA1
0474e7ec5120c991bb36525ebf11ec5ceeb4fd61

SHA256
e3e78a5786bf6b61a3a93466cc4389ca4635d1214abf6ddb0b128b53aa2ce143

SHA512
e3a14538a8d28120faea71b909860da90610b08861c93647d4705f938460b5ff502a42f82c1a06b6e9e2e82975a28b8c9051631f83333a2eeb96e66205b61c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptyga.bat

Filesize
1014B

MD5
1f361760ede2602f0a971be50f66509f

SHA1
2b19c8c1c348a0c71c721ddbf797b1d5caf9dd90

SHA256
c2158d975c8e062488dc4ee5a51a5421ec88397786dbe636fc80d85efc37dc6f

SHA512
709c662ed89a2bf6aa7cd2f215c97d1ed5fa2424e1b8a030ffe924742b0c5fe339fdf1d92f61b00b31aeab7ccd62f06a4a4db0a4db3fe8d564b9a50218b54bfe

Download Submit
memory/2080-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2080-1-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2080-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2080-1078-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download