9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 18:57

Target

9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe
Size

266KB
MD5

411bf884803de86c6130cecf7f111d60
SHA1

bae65561d94c5216de7c67643a580d58b6c3e7c3
SHA256

9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942
SHA512

83d9895351f473fee54909e8b624c643749eb9f36eed7d84932cce6c55d89da226e059bd1f2aacedbd66c4afc08c0c6d62dd0a41b43bc2a72f93714190b5cc1e
SSDEEP

3072:rNXEGZJWhfNFC4S60+XoLczrVmXgrXPIX75iXnOBATu3rejB1MiqGwePJH01ne4S:xXzKdNY49u8rV9Ti+JCKvMiqG/01net

Score

7^/10

upx

Executes dropped EXE 2 IoCs

pid	Process
3692	ITS SB App Switch.exe
3340	ITS SB App Switch.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/644-0-0x0000000000EB0000-0x0000000000F50000-memory.dmp	upx
behavioral2/memory/644-14-0x0000000000EB0000-0x0000000000F50000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3692	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	77
PID 644 wrote to memory of 3692	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	77
PID 644 wrote to memory of 3692	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	77
PID 644 wrote to memory of 3340	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	78
PID 644 wrote to memory of 3340	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	78
PID 644 wrote to memory of 3340	644	9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe	78

C:\Users\Admin\AppData\Local\Temp\9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe
"C:\Users\Admin\AppData\Local\Temp\9fa02c91e708fe7312eef8b8227639df688645ca4217015ed4365d33bd66f942.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
  "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
  "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
  2⤵
  - Executes dropped EXE
  PID:3340

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe

Filesize
87KB

MD5
368332fca74f48697d842c5f4698ae1d

SHA1
0275153a1e62bd0eca0b02168895517ed66aac56

SHA256
3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59

SHA512
fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5

Download Submit
memory/644-0-0x0000000000EB0000-0x0000000000F50000-memory.dmp

Filesize
640KB

Download
memory/644-14-0x0000000000EB0000-0x0000000000F50000-memory.dmp

Filesize
640KB

Download