ec0b65832244b20a3777976c35ef629ca6ad74e7b07167e064270253bcbbedc0

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

45KB
MD5

656da1a6c155301cdd82ec2e0faefd7b
SHA1

03c556b95f7adbb6b32eb4a7d8d14fff0d3e3ed0
SHA256

ec0b65832244b20a3777976c35ef629ca6ad74e7b07167e064270253bcbbedc0
SHA512

222206e897813b4dad44070125e159379f95f8dcfd2c1f4e0a832b045a3b7de40afab4c6226a17a83c462f21b8f1841b237c2be9a9d081b054eaacf3166fa47e
SSDEEP

768:adhO/poiiUcjlJIn7onH9Xqk5nWEZ5SbTDa2WI7CPW5s:8w+jjgnMnH9XqcnW85SbTvWI0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid	Process
2700	Update.exe

Loads dropped DLL 1 IoCs

Processes:

Update.exe

pid	Process
640	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2508	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Update.exeUpdate.exe

description	pid	Process	procid_target
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 640 wrote to memory of 2700	640	Update.exe	28
PID 2700 wrote to memory of 2508	2700	Update.exe	29
PID 2700 wrote to memory of 2508	2700	Update.exe	29
PID 2700 wrote to memory of 2508	2700	Update.exe	29
PID 2700 wrote to memory of 2508	2700	Update.exe	29

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Roaming\XenoManager\Update.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Update" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp

Filesize
1KB

MD5
dd16851fb7493affc25567b65a14dd9d

SHA1
2d8543015cf9aae4d400b681b305f7371cf612b1

SHA256
3582a43056ce25d18dba52573042206a4991f301e3965b21c93cee12e4b290a9

SHA512
3186eb2607067e98ecc475f9b3e7f1ffc6611b075badae5505a3a1fef799d75fedc5ef58c9c9c217d9a54514f042b47142e40f653005c3b8b64e547eff49831f

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\Update.exe

Filesize
45KB

MD5
656da1a6c155301cdd82ec2e0faefd7b

SHA1
03c556b95f7adbb6b32eb4a7d8d14fff0d3e3ed0

SHA256
ec0b65832244b20a3777976c35ef629ca6ad74e7b07167e064270253bcbbedc0

SHA512
222206e897813b4dad44070125e159379f95f8dcfd2c1f4e0a832b045a3b7de40afab4c6226a17a83c462f21b8f1841b237c2be9a9d081b054eaacf3166fa47e

Download Submit
memory/640-0-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/640-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/640-10-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-9-0x00000000013B0000-0x00000000013C2000-memory.dmp

Filesize
72KB

Download
memory/2700-11-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-14-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2700-15-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-16-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download