94229e41fcdfddf7ae19a3d6c37f5d04e72467247f79d9c7d390d5e261a180f8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 05:31

Target

c291008a100d08b187d6cf99003c10d4.exe
Size

142KB
MD5

c291008a100d08b187d6cf99003c10d4
SHA1

5c05e7d96102b321cbdbcbb21899c273c34840bd
SHA256

94229e41fcdfddf7ae19a3d6c37f5d04e72467247f79d9c7d390d5e261a180f8
SHA512

68cc23d1df9d2a035b73687b53d47b6d6def816495a2bc88bd988af05ef312ec60d44c073a61d74e905a739fae82785be22e826e63d41c5945298f6aa953e3b5
SSDEEP

768:+wf3IEp8JRcu/1KOMcwPGxaV6rG22dnWtUB54w4jss3Ydb:+eIEp8vdllxg6CvdoUBL4jl0b

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2112-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	c291008a100d08b187d6cf99003c10d4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1724	2112	c291008a100d08b187d6cf99003c10d4.exe	28
PID 2112 wrote to memory of 1724	2112	c291008a100d08b187d6cf99003c10d4.exe	28
PID 2112 wrote to memory of 1724	2112	c291008a100d08b187d6cf99003c10d4.exe	28
PID 2112 wrote to memory of 1724	2112	c291008a100d08b187d6cf99003c10d4.exe	28

C:\Users\Admin\AppData\Local\Temp\c291008a100d08b187d6cf99003c10d4.exe
"C:\Users\Admin\AppData\Local\Temp\c291008a100d08b187d6cf99003c10d4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1724

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
210B

MD5
59317876362c914542ef510a78df4157

SHA1
99eaef3ec788c758d2d26d84bc2fecc7011c60e0

SHA256
e59a01464c0f7fe644422bbad6b637f781a1effa9a654456a70d6be5ebb7ac80

SHA512
b8236d957b2dd0a82f834908d54da2d43a18b5b357562fed16341f1cc02ad4b0a42e31e99ce43573e7932d5cd852293ec55e3dc86aaf3d33085108a53e930c79

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2112-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download