99404f4b2b977e50cce3eb9c0f138503ed9f018e3bebb86e4b67bcb7fc73c596

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0ba5405df886e1993b535a9347b740c.exe
Size

93KB
MD5

b0ba5405df886e1993b535a9347b740c
SHA1

c3515dccc4c970b9fa48d01977a91fbd5f8d3be3
SHA256

99404f4b2b977e50cce3eb9c0f138503ed9f018e3bebb86e4b67bcb7fc73c596
SHA512

feade6f069d857590a7730e24df56c82ded2d73b936342b41d09fe936c5f40e6ccbc11079daf5ffec3c6b4799257ce594997e70011636742ca82074e427a000f
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgpYB:AnBdOOtEvwDpj6zP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2184	b0ba5405df886e1993b535a9347b740c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000b000000012238-11.dat	upx
behavioral1/memory/2184-15-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2836-16-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2836-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2836	2184	b0ba5405df886e1993b535a9347b740c.exe	28
PID 2184 wrote to memory of 2836	2184	b0ba5405df886e1993b535a9347b740c.exe	28
PID 2184 wrote to memory of 2836	2184	b0ba5405df886e1993b535a9347b740c.exe	28
PID 2184 wrote to memory of 2836	2184	b0ba5405df886e1993b535a9347b740c.exe	28

C:\Users\Admin\AppData\Local\Temp\b0ba5405df886e1993b535a9347b740c.exe
"C:\Users\Admin\AppData\Local\Temp\b0ba5405df886e1993b535a9347b740c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
93KB

MD5
bd0ec4a7a4b95a95b0dd80b4acc2d4ab

SHA1
38900ceec98e18ff41e96a660c15dad9f10c28a6

SHA256
0b3b6509602cf1f6a132cdf33b5db05399d3c976b0895ab56afa0989484e57dd

SHA512
88b047ee429a03a13eab2381891fce243f4327f54db38568980eac5d12ede8756590ba7a1b3bdf1658dc7ecd6b04ed459b7e7940aec50044e1a14408c98afd38

Download Submit
memory/2184-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2184-1-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2184-3-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2184-2-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2184-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2836-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2836-19-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2836-18-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2836-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download