56d22cc932d627e70cea7744e54477c23a380e19448712acd3d1abe649ba96e5

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11e803cca66b3dd85f204ef5df049240N.exe
Size

61KB
MD5

11e803cca66b3dd85f204ef5df049240
SHA1

77b88993b900bd023093becf5057833afc7dcda2
SHA256

56d22cc932d627e70cea7744e54477c23a380e19448712acd3d1abe649ba96e5
SHA512

6d5f007e41173cfe35e0c8c56b7aee07f4131fe87d46efbf1b88ccddab77be2504c485b4835d33ddc9c90d91627da5a739aba458374ae52ac58fd933bec61521
SSDEEP

1536:rg2j6bIGspbnBzssXeP3O9HLyMphMswyuyzVAGeOB:N6MLpbBosXePe9HWMJlum0Y

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	Systeamoifjc.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	Systeamoifjc.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x0009000000016d66-6.dat	upx
behavioral1/memory/2264-15-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2220-17-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2264-19-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe
2220	11e803cca66b3dd85f204ef5df049240N.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe
2264	Systeamoifjc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2264	2220	11e803cca66b3dd85f204ef5df049240N.exe	30
PID 2220 wrote to memory of 2264	2220	11e803cca66b3dd85f204ef5df049240N.exe	30
PID 2220 wrote to memory of 2264	2220	11e803cca66b3dd85f204ef5df049240N.exe	30
PID 2220 wrote to memory of 2264	2220	11e803cca66b3dd85f204ef5df049240N.exe	30

C:\Users\Admin\AppData\Local\Temp\11e803cca66b3dd85f204ef5df049240N.exe
"C:\Users\Admin\AppData\Local\Temp\11e803cca66b3dd85f204ef5df049240N.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\Systeamoifjc.exe
  "C:\Users\Admin\AppData\Local\Temp\Systeamoifjc.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
71B

MD5
7e1c3aa48c974173840d0228647135bb

SHA1
f5c8d7c4ae8ae901e832a85797ac53eeee367813

SHA256
511258426481d684b2a175a48f63bc9cd4d4a18994c56329254f6bc7e5836b6e

SHA512
e35d40014422d98b06af22d8f6a1cc3806d620718d8229964ad71521366097b231e40f46a7d7c21ad971163b2c61dab49230013d47df98ce9f9ce56f99b5ab84

Download Submit
\Users\Admin\AppData\Local\Temp\Systeamoifjc.exe

Filesize
61KB

MD5
cfee8b284200a5af52870808ba363295

SHA1
e755593b72caf35773106808b03b109e087900ce

SHA256
b7c1ed91391a5e5b27e3d82ffa017348dc364f83b4011a165b62760c9e103884

SHA512
a5e5d275070ef049870eb8fb4b59a0c7550f72e15bbbc01c592352fef8dfc4b1d6e0e9622ccb079c00a3a8e79acf291bb1e43e4c5a1045213bf55ec1c684a908

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2220-14-0x0000000002940000-0x0000000002998000-memory.dmp

Filesize
352KB

Download
memory/2220-13-0x0000000002940000-0x0000000002998000-memory.dmp

Filesize
352KB

Download
memory/2220-17-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2264-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2264-19-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download