6d73ef18408bd3ec6f9247b0750a88aabbf759ea1cc110d72b693b6f75f3a8ad

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18cd9c705201f10a09460116cdcfdd2.exe
Size

673KB
MD5

e18cd9c705201f10a09460116cdcfdd2
SHA1

21842b280055dba1adb1f0b00f0cee970e6d5043
SHA256

6d73ef18408bd3ec6f9247b0750a88aabbf759ea1cc110d72b693b6f75f3a8ad
SHA512

61b7375e486dbf13fa0a5cb73d33f2566052e1ab20351174727c81acdca38844e586d4bb5373fc9f330cde5cc3b18d0c192bf0612e22bfd1f3ec62362d1258f9
SSDEEP

12288:yjkArEN249AyE/rbaMct4bO2/VWMa1QbByvW153d3s2XFk+7TYIXPZW6mzTTCjS:lFE//Tct4bOsk/qBIW1Zxs8F975EdfTv

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/952-0-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/952-17-0x0000000000400000-0x00000000004BF000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/952-17-0x0000000000400000-0x00000000004BF000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1064	e18cd9c705201f10a09460116cdcfdd2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28
PID 952 wrote to memory of 1064	952	e18cd9c705201f10a09460116cdcfdd2.exe	28

C:\Users\Admin\AppData\Local\Temp\e18cd9c705201f10a09460116cdcfdd2.exe
"C:\Users\Admin\AppData\Local\Temp\e18cd9c705201f10a09460116cdcfdd2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\e18cd9c705201f10a09460116cdcfdd2.exe
  "C:\Users\Admin\AppData\Local\Temp\e18cd9c705201f10a09460116cdcfdd2.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-6-0x0000000003230000-0x00000000032EF000-memory.dmp

Filesize
764KB

Download
memory/952-17-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/952-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1064-8-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-3-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-16-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-18-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-19-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-20-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-21-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1064-22-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-24-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download