5a7e5d1cc4e8d7e0565b213e04287b8743af3c15516dff33f5410e84ccd9f1a4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 22:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc688addf398befa3a58dd106fb39e9e.exe
Size

51KB
MD5

cc688addf398befa3a58dd106fb39e9e
SHA1

b3c12d6dd8d751d1a252fce1acda81084799f440
SHA256

5a7e5d1cc4e8d7e0565b213e04287b8743af3c15516dff33f5410e84ccd9f1a4
SHA512

f02eccd54bd31d71697e630fb32bf50836220f57afaaf9e7195c99ae161144e5ae7ca7168dfcec433123028babcdf7cc26ff81f4ba56fa90413f46da0255c7b8
SSDEEP

768:wIt2LzE0aZlNobeCxPeulGkQpUg1JCMvG/wzFKEKmj9OTwcYwnhxaA1H5BpV:1t9KbeTvFUgX5vE+FnZjMT3PDaA1LpV

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2940-3-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2940-4-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2940-5-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2940-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2156 wrote to memory of 2940	2156	cc688addf398befa3a58dd106fb39e9e.exe	28
PID 2940 wrote to memory of 2632	2940	cc688addf398befa3a58dd106fb39e9e.exe	29
PID 2940 wrote to memory of 2632	2940	cc688addf398befa3a58dd106fb39e9e.exe	29
PID 2940 wrote to memory of 2632	2940	cc688addf398befa3a58dd106fb39e9e.exe	29
PID 2940 wrote to memory of 2632	2940	cc688addf398befa3a58dd106fb39e9e.exe	29

C:\Users\Admin\AppData\Local\Temp\cc688addf398befa3a58dd106fb39e9e.exe
"C:\Users\Admin\AppData\Local\Temp\cc688addf398befa3a58dd106fb39e9e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\cc688addf398befa3a58dd106fb39e9e.exe
  C:\Users\Admin\AppData\Local\Temp\cc688addf398befa3a58dd106fb39e9e.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1A83.tmp\renamer.bat" "
    3⤵
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A83.tmp\renamer.bat

Filesize
104B

MD5
ecfeb6070af2c8ec7c02d9db01c21c96

SHA1
0a154622a6ff94280677d6b3c91337eb1059b650

SHA256
96ef3cb79847f58d43d52ff29da3415da4805d76cf784769423147b853b1f8fb

SHA512
493bfcea2f9b71ed4f4364d498b5288fe4f6b5c53ed35a6cf451378e92ca649e1c635082c37065424318f373e7cb8241210f067e6c33d9b384116e059197186c

Download Submit
memory/2156-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2940-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download