13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PizDec.exe
Size

237KB
MD5

6520885628fe337b8665099479cc1d4d
SHA1

09741f5c74b3525c31004c5bd19b0ecab835186d
SHA256

13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4
SHA512

235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c
SSDEEP

6144:+V28o+H+4OwpuhwDcp7qC4tOesrTPh350OthwqoS:+oAe4O9hwDct74tO7rTV50OgqoS

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1464-40-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2576	WScript.exe
Token: SeIncBasePriorityPrivilege	2576	WScript.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1780	1464	PizDec.exe	28
PID 1464 wrote to memory of 1780	1464	PizDec.exe	28
PID 1464 wrote to memory of 1780	1464	PizDec.exe	28
PID 1464 wrote to memory of 1780	1464	PizDec.exe	28
PID 1780 wrote to memory of 2576	1780	cmd.exe	30
PID 1780 wrote to memory of 2576	1780	cmd.exe	30
PID 1780 wrote to memory of 2576	1780	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\PizDec.exe
"C:\Users\Admin\AppData\Local\Temp\PizDec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2980.tmp\2981.tmp\2982.bat C:\Users\Admin\AppData\Local\Temp\PizDec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2980.tmp\2981.tmp\2982.bat

Filesize
27B

MD5
c7da66cab92e95daf435dc74fa5ca35a

SHA1
924f2b0ebac4eac12c78b298697400a1b338a4c5

SHA256
4ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92

SHA512
28737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787

Download Submit
C:\Users\Admin\AppData\Roaming\6.VBS

Filesize
115B

MD5
9e242f8f35222db7713bf96248c7434c

SHA1
a66a0c27eca4aa325bc3dc8d907837180bcbd1b3

SHA256
5d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731

SHA512
4c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56

Download Submit
C:\Users\Admin\AppData\Roaming\piz.mp3

Filesize
198KB

MD5
71cf668f8ebbceda772022165b460ce3

SHA1
99febb0f4f9f388a4f9aeedd1530b50e0790500c

SHA256
321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033

SHA512
bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63

Download Submit
memory/1464-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1464-40-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2576-39-0x000007FEF60FC000-0x000007FEF6107000-memory.dmp

Filesize
44KB

Download
memory/2576-41-0x000007FEF60FC000-0x000007FEF6107000-memory.dmp

Filesize
44KB

Download
memory/2576-43-0x000007FEF60FC000-0x000007FEF6107000-memory.dmp

Filesize
44KB

Download