c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe
Size

2.4MB
MD5

8a7b8ad4b528f2eee93ca9b2fac2515d
SHA1

d9f0e15be8a8672b08f99a5ded01ad774ff7d24f
SHA256

c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b
SHA512

ac0c85423063df63f548a3db62a5bfd8b22d3350e0e58a2f2d17321326e8c3df3d1088ba19a4ce57b2544a7f8f00a0a09f2ae86a4eb0fecfbe908276c62aae0d
SSDEEP

49152:JMDRZ9IBVL+s0ezJGd80SHMsThF35Hj1Bzudu:JMDtIXLr06AdfEThF35Pzuk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2760	timeout.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3020	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	28
PID 2128 wrote to memory of 3020	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	28
PID 2128 wrote to memory of 3020	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	28
PID 2128 wrote to memory of 3020	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	28
PID 3020 wrote to memory of 2032	3020	cmd.exe	30
PID 3020 wrote to memory of 2032	3020	cmd.exe	30
PID 3020 wrote to memory of 2032	3020	cmd.exe	30
PID 3020 wrote to memory of 2032	3020	cmd.exe	30
PID 2128 wrote to memory of 2696	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	31
PID 2128 wrote to memory of 2696	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	31
PID 2128 wrote to memory of 2696	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	31
PID 2128 wrote to memory of 2696	2128	c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe	31
PID 2696 wrote to memory of 2680	2696	cmd.exe	33
PID 2696 wrote to memory of 2680	2696	cmd.exe	33
PID 2696 wrote to memory of 2680	2696	cmd.exe	33
PID 2696 wrote to memory of 2680	2696	cmd.exe	33
PID 3020 wrote to memory of 2596	3020	cmd.exe	34
PID 3020 wrote to memory of 2596	3020	cmd.exe	34
PID 3020 wrote to memory of 2596	3020	cmd.exe	34
PID 3020 wrote to memory of 2596	3020	cmd.exe	34
PID 2696 wrote to memory of 2448	2696	cmd.exe	35
PID 2696 wrote to memory of 2448	2696	cmd.exe	35
PID 2696 wrote to memory of 2448	2696	cmd.exe	35
PID 2696 wrote to memory of 2448	2696	cmd.exe	35
PID 2696 wrote to memory of 2760	2696	cmd.exe	36
PID 2696 wrote to memory of 2760	2696	cmd.exe	36
PID 2696 wrote to memory of 2760	2696	cmd.exe	36
PID 2696 wrote to memory of 2760	2696	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe
"C:\Users\Admin\AppData\Local\Temp\c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20245231258336.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20245231258336.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20245231258336.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe
    "C:\Users\Admin\AppData\Local\Temp\c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe"
    3⤵
    - Executes dropped EXE
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zb20245231258336.bat

Filesize
752B

MD5
dca4dbc2af3439c0fb94729a2aabaf4f

SHA1
abd930da4bdde39974d03e847eb7fb207b2dd171

SHA256
91288bbb2b0427ee47c8b28995df56e4a3b34bdc6599f33d0b45c2e5dde92601

SHA512
23700161d33698b09f23a1a7db51de3d07483ad69136e216becd68cd33392be6e9f26738995145e607ec81beb7a5ea11dd4fe03cf8e07158ab418d3035d072a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe20245231258336.bat

Filesize
322B

MD5
c0a293198977a927f377555aef6f54c0

SHA1
153ca3a9a74cceebe185bb13c28b28b590ffa603

SHA256
cd06d606bc005c4ea96a0ca3daadc189e16320c60dbeb79d74da981915ccf23e

SHA512
e8a10278a25c43a422589f0e8c4234b9a6b046266583ef5b38c900f633e0af4d43ef2cf0b74142e30e6a56ed74c3af5962df7cd6dfc3eb2746afe0ec1c62dead

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze20245231258336.tmp

Filesize
2.1MB

MD5
a068280a4398e466390f79eb2bbcc4ee

SHA1
bc66e06200d1ed384797303842dbac68aed206fc

SHA256
8a77a81934fd75f51335d067df26450f3abbdf4251530bcbed61d1805a622ce4

SHA512
91322036fd7930000eb0347d7024dfd479cbc4f3c2e9ddc322a5e21ae2c9796abd03b22f496dbdd5d0ab290374504fb128f8addf827b1b0f9925fb29a4a85b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx20245231258336.xml

Filesize
1KB

MD5
cdd7f67a650eb01968a541900bd09a9a

SHA1
6a8a34da4690316b4b68ae1d69789a18dab1d4d5

SHA256
07bbe85dd294425bc3510adfe7ef0a6d570ee0a024307e9806cb8b362e29a2cb

SHA512
3b182a3a0a5774e22b2eca9cb428f13a10e99a1657b99c1a3863a4fe0ac85a66f71df8d20a2996dc2d45b52d5305c7de11b5ff9d65ab707520b3df433d17ede4

Download Submit
\Users\Admin\AppData\Local\Temp\c13c0f88d69f72c9bce3f695c5f3614a0b920d516e2c3c70be297c1688fd141b.exe

Filesize
384KB

MD5
4fd8599e74c8a1426c067cec9ca62644

SHA1
9b5d9929dca9e1b28b4d5615a7d49666ab7cef46

SHA256
f759ae5d7ad5247cc2d9edd27a8c3798dd9ae87c443ef7b11e992848bb228ec2

SHA512
8ba54fc1540d438b5546dc4f531e0ebee881ca29bc1c13beff390d13574bc1f84726ad1192cc12a988d457683f684b7d072761a94bf41aa621138ea6cbbb84fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads