8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe
Size

168KB
MD5

102f54b2d2744314042fe8e0fa4423ce
SHA1

9f1f017e62ad610a61d70020320ee4d7d3c61583
SHA256

8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f
SHA512

1d6e9cb32b37fd31b4108a14138c24e90d7502b652d592b47e03371a0c4c7263028edad291130a682845400bd39a6b1f98f366cc1a402276202b9d3e3a3f3dce
SSDEEP

1536:oxJXH2aHwM7saKGupZ1qG8DAR8bQykqQxuMZztsRoQPgY+5GesH:oxQM7VupZ1BGvBQxufR5

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral1/memory/2844-0-0x0000000000400000-0x0000000000429000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b000000013a06-4.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2844-6-0x0000000002CB0000-0x0000000002CD9000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2376-13-0x0000000000400000-0x0000000000429000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2376	lifikuri.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe
2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2376	2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe	28
PID 2844 wrote to memory of 2376	2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe	28
PID 2844 wrote to memory of 2376	2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe	28
PID 2844 wrote to memory of 2376	2844	8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe	28

C:\Users\Admin\AppData\Local\Temp\8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe
"C:\Users\Admin\AppData\Local\Temp\8ebef382d77abaa52c2060fa8963cdaac78a3b3fcb85f11cfdcbf37760c22d3f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\lifikuri.exe
  "C:\Users\Admin\AppData\Local\Temp\lifikuri.exe"
  2⤵
  - Executes dropped EXE
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lifikuri.exe

Filesize
168KB

MD5
6ef75c509bd8df1f73a9f6ce6691e0e7

SHA1
070d6667db91cd38eb44efd0244fe88a0a60bd7b

SHA256
ca306873b83aa3c67d4edfad5f7cf67a41e6b5df92a7517674bac512fc794755

SHA512
183441be2aba9d2eb50ce2b420036875589a39129029e5b4ba6f274f6cdddf93433c124b01e1b34e2d2a7a835cf207f89adf92c34c42d8858131105287f6b56f

Download Submit
memory/2376-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-6-0x0000000002CB0000-0x0000000002CD9000-memory.dmp

Filesize
164KB

Download