Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 07:25

General

  • Target

    $TEMP/plier.exe

  • Size

    4KB

  • MD5

    11c8f037f0e1a68ff1c74cbcac6e3c6e

  • SHA1

    bb50ac196dfd3a194b7b7161947a012a0d49886c

  • SHA256

    aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

  • SHA512

    05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
        3⤵
          PID:4164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
          3⤵
            PID:4224
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
            3⤵
              PID:4368
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
              3⤵
                PID:4436
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
                3⤵
                  PID:4504
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
                  3⤵
                    PID:4572

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\win.ini

                      Filesize

                      517B

                      MD5

                      893cae59ab5945a94a7da007d47a1255

                      SHA1

                      d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

                      SHA256

                      edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

                      SHA512

                      d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

                    • memory/2732-1-0x0000000000230000-0x0000000000234000-memory.dmp

                      Filesize

                      16KB

                    • memory/2732-0-0x0000000000270000-0x0000000000277000-memory.dmp

                      Filesize

                      28KB

                    • memory/2732-3-0x0000000000240000-0x0000000000241000-memory.dmp

                      Filesize

                      4KB

                    • memory/2732-10008-0x00000000002A0000-0x00000000002C2000-memory.dmp

                      Filesize

                      136KB

                    • memory/3852-10009-0x0000000000090000-0x0000000000096000-memory.dmp

                      Filesize

                      24KB