aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
04-05-2024 01:54

Target

aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe
Size

266KB
MD5

8de955bb6305ba547d8dacd51e8f4b3c
SHA1

2a9951873cbb247e16b0a5cff3ac131890157586
SHA256

aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808
SHA512

d7a9db8b9d12f1ac89e70e8a9871a6acd8a592fb2dfc357171be339ab813351a9f09638a50f6f8a3ea6622b3c19f7991473738445fd8b1666e986c94fbb41643
SSDEEP

3072:7NXEGZJWhfNFC4S60+XoLczrVmXHNgglZwHjS+/fbC8DcGsmH01ne4PK:BXzKdNY49u8rV8HsjLHu8DcGd01net

Score

7^/10

upx

Executes dropped EXE 2 IoCs

pid	Process
2104	ITS SB App Switch.exe
4676	ITS SB App Switch.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3580-0-0x0000000000770000-0x0000000000810000-memory.dmp	upx
behavioral2/memory/3580-14-0x0000000000770000-0x0000000000810000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2104	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	78
PID 3580 wrote to memory of 2104	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	78
PID 3580 wrote to memory of 2104	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	78
PID 3580 wrote to memory of 4676	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	79
PID 3580 wrote to memory of 4676	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	79
PID 3580 wrote to memory of 4676	3580	aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe	79

C:\Users\Admin\AppData\Local\Temp\aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe
"C:\Users\Admin\AppData\Local\Temp\aa1112eb3342e027570a37eed64abd8c4f8ea4416085f2112d90d0987a127808.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
  "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
  "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
  2⤵
  - Executes dropped EXE
  PID:4676

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe

Filesize
87KB

MD5
368332fca74f48697d842c5f4698ae1d

SHA1
0275153a1e62bd0eca0b02168895517ed66aac56

SHA256
3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59

SHA512
fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5

Download Submit
memory/3580-0-0x0000000000770000-0x0000000000810000-memory.dmp

Filesize
640KB

Download
memory/3580-14-0x0000000000770000-0x0000000000810000-memory.dmp

Filesize
640KB

Download