c0ad14caca8b8b0972e40ddb9a95a036480055bab963ac39dfa1d5fa952fbf60

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9586779b197073c3004fba0593e40d76.exe
Size

5.0MB
MD5

9586779b197073c3004fba0593e40d76
SHA1

9bcdf21ef19b847a2e68d6dd53b6461abb931162
SHA256

c0ad14caca8b8b0972e40ddb9a95a036480055bab963ac39dfa1d5fa952fbf60
SHA512

302d531377b37205d105693223fb85a7fd0281516331bb3225794afcc6ef357aafc4a1d7b83b0dff0b983c3088a88077542137f2bed04f794a648eed9c68bae8
SSDEEP

98304:1eM85gLFg3vqpaF4tbigrdNet7NDx+9am+rDy1yz+Ve5dQn1Zx7veL5LRX47zvLM:r85IFg3vqpaUiee3Y9cDefVe5dQ17De9

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2688	7za.exe
2868	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe
2812	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001cbc0-520.dat	upx
behavioral1/memory/2812-522-0x0000000000440000-0x0000000000501000-memory.dmp	upx
behavioral1/files/0x000400000001cbc0-521.dat	upx
behavioral1/files/0x000400000001cbc0-523.dat	upx
behavioral1/memory/2868-524-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2868-526-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2868-526-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	Setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2184 wrote to memory of 2344	2184	9586779b197073c3004fba0593e40d76.exe	28
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2344 wrote to memory of 2812	2344	WScript.exe	30
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2688	2812	cmd.exe	31
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32
PID 2812 wrote to memory of 2868	2812	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\9586779b197073c3004fba0593e40d76.exe
"C:\Users\Admin\AppData\Local\Temp\9586779b197073c3004fba0593e40d76.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
245KB

MD5
b89f122e82e8871266a8ce75ddedc353

SHA1
680f07d20a7ba4e73ca0dd1928195b086f195504

SHA256
cee8f2fa3c4e988831daf509e8186f6c54beaacad1062cf9d2e98d06a98a77d3

SHA512
ffafcf4b5407e1b33f58f07d34ed85c51eca016e045d12628c39d6569e85aaf167f266f5d3703ae454e9c2b06e4316ac500f6a9e2702ca9df6e4430aec1affe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
27KB

MD5
68be8b8b5882455dc7f5cfa9aa9e475a

SHA1
baa297bd3dcbe30fdbb44a841407b31363ca60c9

SHA256
62ea9d9021963441787b89302c43622587790c3f4ba5f820f845f3102249e1b2

SHA512
d9afaa4eb1a0d121dd1639f70a4473d815123ac775e259d337a95aaccad5a48d41dc6507a21fe728a6518b60a47a63d4d3245dc88d1684dd501034b9d76ef95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
3.3MB

MD5
9cb494310523f5a93ba424b6b3033cdd

SHA1
40f68d727d8821f0c77db450aa811c206dfdad00

SHA256
ddbb40967856346b6f23fd3932ca74b01881dd5f282c0cb16fae41e8aea88a2e

SHA512
aaad128a5b6440d0a962b781a347a0b8e212cfebb4540d175d9c382fb3767538416f4edd20d82a997c085dcf6b320b3a93355024b37cf98632b556184a2f0008

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
383B

MD5
e48e0650aee7207a0b908d9830b0b487

SHA1
56d23ed45ebf1ec42914da69bdd5b890733744b2

SHA256
652034b9a3d29611ec91971a3f3d7e9438c0ed748f050df4329371ccf91da0ee

SHA512
c0ca42779a040e3aeaaf8d4f53d4ce17639dc82068d90d78830ba927f652c8127fca19321bddeaba321d9470d78892fa48d1d83dc9cebae1bdf88704fa0ae1cb

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
377KB

MD5
f6686d0ca02fdffa3c5832fedfcf6530

SHA1
2da75373216673b3237250be7606a3d803e7edd6

SHA256
d54bedbbc1c39e2dfaa0239457dc7478496bef99564f3f29055d103d0f6dd5cf

SHA512
8b6c0d326a2eae6bd75efb4bf08f74cbd2a228aa097c2d08999223e9e74080495703285f2d708bd770e3027ad15e521a3a3f918d52be9413489565b0ca497d0c

Download Submit
memory/2812-522-0x0000000000440000-0x0000000000501000-memory.dmp

Filesize
772KB

Download
memory/2868-524-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2868-526-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download