45f4663abb2cde14ad90a2e45de0820c2741f008f8035ee5d32a712dc415f1b0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c937648ed2643ed36b947f6c9abbe9.exe
Size

550KB
MD5

a2c937648ed2643ed36b947f6c9abbe9
SHA1

1d6d52109eedc1c375ffb6351de048c3055d011b
SHA256

45f4663abb2cde14ad90a2e45de0820c2741f008f8035ee5d32a712dc415f1b0
SHA512

4896355cf8a095b8412f1438605eb98206c7b3bab660b20f5754105c3c0b4dccb167152ec5c0962a2dd94ecc173c842b586b86284abfec2f693ad863fc7a5e10
SSDEEP

12288:ZTmbBer53CgBxzcxZOjhUSylW1jerTvnWZdZAJ3h5d:dmbs19xzK0UtejeX+ZdZAdh/

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000400000-0x000000000067A000-memory.dmp	upx
behavioral1/memory/2320-27-0x0000000000400000-0x000000000067A000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cgico.ico	a2c937648ed2643ed36b947f6c9abbe9.exe
File created	C:\Windows\cgman_48_1.ico	a2c937648ed2643ed36b947f6c9abbe9.exe
File created	C:\Windows\cgman_16_1.ico	a2c937648ed2643ed36b947f6c9abbe9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2320	a2c937648ed2643ed36b947f6c9abbe9.exe
2320	a2c937648ed2643ed36b947f6c9abbe9.exe
2320	a2c937648ed2643ed36b947f6c9abbe9.exe
2320	a2c937648ed2643ed36b947f6c9abbe9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2592	2320	a2c937648ed2643ed36b947f6c9abbe9.exe	29
PID 2320 wrote to memory of 2592	2320	a2c937648ed2643ed36b947f6c9abbe9.exe	29
PID 2320 wrote to memory of 2592	2320	a2c937648ed2643ed36b947f6c9abbe9.exe	29
PID 2320 wrote to memory of 2592	2320	a2c937648ed2643ed36b947f6c9abbe9.exe	29

C:\Users\Admin\AppData\Local\Temp\a2c937648ed2643ed36b947f6c9abbe9.exe
"C:\Users\Admin\AppData\Local\Temp\a2c937648ed2643ed36b947f6c9abbe9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\a2c937648ed2643ed36b947f6c9abbe9sd.bat" "
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2c937648ed2643ed36b947f6c9abbe9sd.bat

Filesize
268B

MD5
e2ffd73d532a464eb9cf4b825639d7a5

SHA1
6a71a314dc20ac8f16a409e837bda6d27eedfe16

SHA256
257d250074c090ab930e95a642d90e2dd2c98882534716ce1fb82cc84e5db7a9

SHA512
d469f5787ba840ed1e6f26d33df6064b9039b1661381e799d5d9780fd6065d135e67cadd11d661c3eeab261eace5d016b4c43ed50e20e84489763320165a236f

Download Submit
C:\Users\Admin\Favorites\여성의류 쇼핑몰순위-코디걸스.url

Filesize
131B

MD5
ff45237b9f90a3165a1a3c3baff3d720

SHA1
237945864484161ce5d11b6d77f1b60bf4c55d31

SHA256
e3b61ee55247b2cb7cef0e7d965f81f0308cbeac598d9165d1bc7695eb7e1d0e

SHA512
65035786a4eb19750f85efe03db09e84820d7575874a22f0541b3ac11a881b972399ec024f412a977257562aa5019dff8c99fb01129862fe602170b1b2b7d834

Download Submit
memory/2320-0-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2320-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2320-27-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download