aa2bc6bdab3c1cd9cc94e92a00f2501ffd6bef384e69e605b9533ee4a9af2fcc

Resubmissions

25-12-2024 11:40

241225-ns1f3ssmct 10

20-06-2024 01:12

240620-bk1qnavdrk 10

01-06-2024 22:28

240601-2d43lsgh7s 10

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Court Project V1.1/Court Project.exe
Size

75.3MB
MD5

237a78a3b4b36d749f0e46d26dbc965b
SHA1

f73af65ad456feb2bf5159161ff4b9ace5202598
SHA256

26cf8403cb6124796a98eb4644b3d75569bea2ba156456d0dd1b0b04ad3b3572
SHA512

7223a6692a131c47c7aade3a0ddd7a1fb3dbb420e824921b508565d7363185229d419e3df9e4dd3abf96200945ad076c592712fecf68f47b7e7d9105c59eac89
SSDEEP

1572864:ivFUQpjkuwSk8IpG7V+VPhqS0E7WZRjRH2PRQvS6f97PyhonB08yfXWulZvFVN:ivFUqA7SkB05awSgZRdW2S6f9jnB08Qd

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2332	PHONE LINK.EXE
2876	PHONE LINK.EXE
1196	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
3068	Court Project.exe
2332	PHONE LINK.EXE
2876	PHONE LINK.EXE
1196	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000400000001d388-1278.dat	upx
behavioral3/memory/2876-1280-0x000007FEF5B50000-0x000007FEF5FBE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2460	3068	Court Project.exe	28
PID 3068 wrote to memory of 2460	3068	Court Project.exe	28
PID 3068 wrote to memory of 2460	3068	Court Project.exe	28
PID 3068 wrote to memory of 2460	3068	Court Project.exe	28
PID 2460 wrote to memory of 2360	2460	cmd.exe	30
PID 2460 wrote to memory of 2360	2460	cmd.exe	30
PID 2460 wrote to memory of 2360	2460	cmd.exe	30
PID 2460 wrote to memory of 2360	2460	cmd.exe	30
PID 3068 wrote to memory of 2332	3068	Court Project.exe	31
PID 3068 wrote to memory of 2332	3068	Court Project.exe	31
PID 3068 wrote to memory of 2332	3068	Court Project.exe	31
PID 3068 wrote to memory of 2332	3068	Court Project.exe	31
PID 2332 wrote to memory of 2876	2332	PHONE LINK.EXE	32
PID 2332 wrote to memory of 2876	2332	PHONE LINK.EXE	32
PID 2332 wrote to memory of 2876	2332	PHONE LINK.EXE	32

C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\Court Project.exe
"C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\Court Project.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\COURT PROJECT.BAT" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\PHONE LINK.EXE
  "C:\Users\Admin\AppData\Local\Temp\PHONE LINK.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\PHONE LINK.EXE
    "C:\Users\Admin\AppData\Local\Temp\PHONE LINK.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COURT PROJECT.BAT

Filesize
2KB

MD5
4b79c671ac1da07985c8d8b4f18005f7

SHA1
ef81a3c16e46c18eecab45fa57a0dc3f42370bcc

SHA256
203a80db0214a96de01c1bed84170b507565397ecc5fae047b7d2a005a7e9511

SHA512
681238af8f8bf83ec8ad0a57f50af08f93bca7b01d0a3b7c7d4592375ff8bbae3ac1b617eb7ab2f4b7ae4fb3470ab0c3dee6840275747a1f1c42907e49f30710

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23322\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
memory/2876-1280-0x000007FEF5B50000-0x000007FEF5FBE000-memory.dmp

Filesize
4.4MB

Download