48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 10:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe
Size

423KB
MD5

824fd3d70a605fe38823542e6bdb1c80
SHA1

e933bc3ce41c8870c9448634c8df5ed17900d05f
SHA256

48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322
SHA512

70a493fafd28ee9765df9801a5913d79875fd9ec8e68716519c36a9779e9aa36f0c885c1eef86a1fa6c1b82658c002516833518960263a0d79d88b55c3aa1121
SSDEEP

6144:2lrEttaPB724vPDvhO39nidOvM+EtR07Fs3qQLyjjz2h7lkeh1+sJK8lEquUcmt:2GDaV2iA39niHtFLA2h/+sDltb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2400	LSM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2444	2924	48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe	29
PID 2924 wrote to memory of 2444	2924	48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe	29
PID 2924 wrote to memory of 2444	2924	48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe	29
PID 2924 wrote to memory of 2444	2924	48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe	29
PID 2444 wrote to memory of 2644	2444	cmd.exe	31
PID 2444 wrote to memory of 2644	2444	cmd.exe	31
PID 2444 wrote to memory of 2644	2444	cmd.exe	31
PID 2444 wrote to memory of 2644	2444	cmd.exe	31
PID 624 wrote to memory of 2400	624	taskeng.exe	35
PID 624 wrote to memory of 2400	624	taskeng.exe	35
PID 624 wrote to memory of 2400	624	taskeng.exe	35
PID 624 wrote to memory of 2400	624	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe
"C:\Users\Admin\AppData\Local\Temp\48ca527e1c3535cdf59d3efb4372b2a9ecb72b2ace91afc553f57765032dc322.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /F /sc minute /mo 1 /tn "LSM" /tr "C:\Users\Admin\AppData\Local\LSM.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /F /sc minute /mo 1 /tn "LSM" /tr "C:\Users\Admin\AppData\Local\LSM.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {E305038A-EDDD-4A10-BAF7-F1CFDA4BC762} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\LSM.exe
  C:\Users\Admin\AppData\Local\LSM.exe
  2⤵
  - Executes dropped EXE
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LSM.exe

Filesize
423KB

MD5
5b48245f4ce6b3ce1e9280f2f6e5722d

SHA1
62cce64d43fc4703882b020cbaece2b673b1c054

SHA256
58e51cef6db5b4dad541fd2d3924dc822b6fbbf56dca821f9337731480e01ae2

SHA512
19457d25202773e9a37accee71fe70a8043977225a34af7686ba1372fe4d16f86eaa96163af48892191a989fdbf82ce86ef150bf988487c181ac274a32d0a7f8

Download Submit
C:\Users\Admin\AppData\Local\sytemp.temp

Filesize
846KB

MD5
254b1d15ed86fb78ae4efbf6abadad31

SHA1
be48a7566225fa013ddbd4ac18b98ead67aba798

SHA256
951464a26054659360b539ba250408d5796bf91d99de40251c9416d32375e44b

SHA512
b264a9e04fbd7b66fc172c94286b1a406531c66ac76115912bc2eeb5d04c27041bc5623005be0f89689ece53941b85fa903aa120f189c9d59a91251ee47535c3

Download Submit
memory/2924-0-0x0000000074371000-0x0000000074372000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-2-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-3-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-4-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-8-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads