b16d9ffa9b1ef742c7e1f9695e967f293b0b0568f074a4e15cb82174cb7b7f21

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80763046c110aad8ee4f2158178ff050N.exe
Size

91KB
MD5

80763046c110aad8ee4f2158178ff050
SHA1

9af107cb7cc6daa1a473300c1139991ed4e2ce98
SHA256

b16d9ffa9b1ef742c7e1f9695e967f293b0b0568f074a4e15cb82174cb7b7f21
SHA512

dd5d0dbd0d280896773783eb1e7e5b9c3caccddfec6edcae9cb3fa0974e1d49a5b7f3f3c409b4fac10763dff2ddde28a48fdc70ac2bcacb0c2651ebf011f8f39
SSDEEP

1536:BAlTDSgw2+adjGAlWcNVbS7trdO7cK4q5miGwKU+Z6d/YVlnot7ma:BwTBV5xvXe7trdO7cpQGwxRdilg

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2188-1-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2188-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2188-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2732	2188	80763046c110aad8ee4f2158178ff050N.exe	30
PID 2188 wrote to memory of 2732	2188	80763046c110aad8ee4f2158178ff050N.exe	30
PID 2188 wrote to memory of 2732	2188	80763046c110aad8ee4f2158178ff050N.exe	30
PID 2188 wrote to memory of 2732	2188	80763046c110aad8ee4f2158178ff050N.exe	30

C:\Users\Admin\AppData\Local\Temp\80763046c110aad8ee4f2158178ff050N.exe
"C:\Users\Admin\AppData\Local\Temp\80763046c110aad8ee4f2158178ff050N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
212B

MD5
53f271878d89a21c9e08d6406db0cb34

SHA1
aa913f52c67ee588c78991850edc4f171f1a07bc

SHA256
9d1c3e8ae8e4cb559f8d7e65bc8e873297075c85838254a210bf580677d5f1bd

SHA512
69afad757103610dfc71ce27791b90df085b533b5d51cdcbe3de9554aa5bfe8ee9eb95b9fd4abab872a57756fdf4d8f97d35c99e255cc40c970bd3419e51b982

Download Submit
memory/2188-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2188-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2188-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2188-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download