Overview

overview

5

Static

static

1

9a8b0ebe7b...12.zip

windows7-x64

5

9a8b0ebe7b...12.zip

windows10-2004-x64

1

Autoit3.exe

windows7-x64

3

Autoit3.exe

windows10-2004-x64

3

script.a3x

windows7-x64

3

script.a3x

windows10-2004-x64

3

Resubmissions

20-05-2024 05:05

240520-fq6lbade9v 10

20-05-2024 04:53

240520-fh1ebsdb7w 5

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip

  • Size

    802KB

  • MD5

    96bb795d111717109fac22f8433c7e27

  • SHA1

    daf03c1faa4290b7f4eeec983110a8bd7858b834

  • SHA256

    9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12

  • SHA512

    cccf6b4736b6e33ec1bcd020d8f1fb67cc0a9e72a841a5dc7a2f81e62e54b20324bd0b5b1edcc5073becf12cc07584e77cef8c997fe4f4702d85b06ea488d988

  • SSDEEP

    24576:YIAjSP9123EtVDkL+zNRbMtv4J0RXTTwaK:YIF91BVIazHotC0RXTTwaK

Score
5/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip
    1⤵
      PID:1680
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2132
      • C:\Users\Admin\Desktop\Autoit3.exe
        "C:\Users\Admin\Desktop\Autoit3.exe" C:\Users\Admin\Desktop\script.a3x
        1⤵
        • Command and Scripting Interpreter: AutoIT
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1832
        • \??\c:\windows\SysWOW64\cmd.exe
          "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bakcbfd\cbhhfgb
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic ComputerSystem get domain
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\bakcbfd\cbhhfgb
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • memory/1832-1-0x0000000000310000-0x00000000003EF000-memory.dmp

        Filesize

        892KB

        Download