c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe
Size

2.4MB
MD5

0f9cdf9b4c45d2b569900a85147b7f3c
SHA1

5930962185dad25382cfc6f65963b75c8c764c83
SHA256

c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87
SHA512

62fa2af58bccfe9d60f7ee94ca07668975b72f5777f7133f9bd4ffe553e798d23237fb008707db12595c1c05d18416560d4669be5d73c46dc99e252d778c143e
SSDEEP

49152:IkRQ6DhMDRZ9IBVL+s0ezJGd80SHMsThF35Hj1Bzu9kRQ6DA:IkRQ6DhMDtIXLr06AdfEThF35Pzu9kRk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2720	timeout.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2936	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	28
PID 1688 wrote to memory of 2936	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	28
PID 1688 wrote to memory of 2936	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	28
PID 1688 wrote to memory of 2936	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	28
PID 1688 wrote to memory of 2168	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	30
PID 1688 wrote to memory of 2168	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	30
PID 1688 wrote to memory of 2168	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	30
PID 1688 wrote to memory of 2168	1688	c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe	30
PID 2936 wrote to memory of 2792	2936	cmd.exe	31
PID 2936 wrote to memory of 2792	2936	cmd.exe	31
PID 2936 wrote to memory of 2792	2936	cmd.exe	31
PID 2936 wrote to memory of 2792	2936	cmd.exe	31
PID 2168 wrote to memory of 2652	2168	cmd.exe	33
PID 2168 wrote to memory of 2652	2168	cmd.exe	33
PID 2168 wrote to memory of 2652	2168	cmd.exe	33
PID 2168 wrote to memory of 2652	2168	cmd.exe	33
PID 2936 wrote to memory of 2668	2936	cmd.exe	34
PID 2936 wrote to memory of 2668	2936	cmd.exe	34
PID 2936 wrote to memory of 2668	2936	cmd.exe	34
PID 2936 wrote to memory of 2668	2936	cmd.exe	34
PID 2168 wrote to memory of 2640	2168	cmd.exe	35
PID 2168 wrote to memory of 2640	2168	cmd.exe	35
PID 2168 wrote to memory of 2640	2168	cmd.exe	35
PID 2168 wrote to memory of 2640	2168	cmd.exe	35
PID 2168 wrote to memory of 2720	2168	cmd.exe	36
PID 2168 wrote to memory of 2720	2168	cmd.exe	36
PID 2168 wrote to memory of 2720	2168	cmd.exe	36
PID 2168 wrote to memory of 2720	2168	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe
"C:\Users\Admin\AppData\Local\Temp\c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20245232042328.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20245232042328.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20245232042328.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe
    "C:\Users\Admin\AppData\Local\Temp\c49592a93ce658399c8fa79b256ce0a1c5b2ca5b4a36ff4f1ff7ab25139a6f87.exe"
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zb20245232042328.bat

Filesize
752B

MD5
bf3c20b46ec21758ad6355229b3c8588

SHA1
8f36e8978dc68b55eb858417d5b537243d611ddb

SHA256
5f003b43aaaec0bfce5c88d4364afa7ff3522c5d2b063dc3522e66d19bd096fe

SHA512
ac2976919aa514932be38f2bf1a496aebff98e1d9a84195a175279ff48081d7adb9410af625df2a07636e5be51aba632d5792d90af0da8c630c54122a99d732e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe20245232042328.bat

Filesize
322B

MD5
8603bb67dee210e9849ce49c2ed9fd09

SHA1
e7f7115cb4b292300252cea3743a965b0686a54b

SHA256
5ee7f2af61c3e9a401932cfe5f1d4a2639f1a1075242e692efb165ae57d1c63d

SHA512
3fe009c83e2b10570c8e23a135ee5d1b3e2e35e0161e02c5f58b44921ce33362e699642235fce7af69827ca0300cc07bf68f1655c8f8f4cc78abed3d21af7811

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze20245232042328.tmp

Filesize
2.4MB

MD5
cc5162db0471aff164827f2efbf3dc8d

SHA1
7a30cf5037f3b12838a27474950cfd31fff01225

SHA256
144f522c501ed580d9281b235d63cbe1b6aad93193aa23fd1f492145ef2fcd3d

SHA512
9c6b47a80d9f886c500d8db100395101da69f552e48e4e0c3c7a29b254a2f4956567dc882d5c2aed855564ccd0561be67f2d23df392819f4df8bdd7b170baf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx20245232042328.xml

Filesize
1KB

MD5
cdd7f67a650eb01968a541900bd09a9a

SHA1
6a8a34da4690316b4b68ae1d69789a18dab1d4d5

SHA256
07bbe85dd294425bc3510adfe7ef0a6d570ee0a024307e9806cb8b362e29a2cb

SHA512
3b182a3a0a5774e22b2eca9cb428f13a10e99a1657b99c1a3863a4fe0ac85a66f71df8d20a2996dc2d45b52d5305c7de11b5ff9d65ab707520b3df433d17ede4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads