a4e10fe06bb5202f8b07f3264adf23bd3d3825e214fef6b096adbe5d6a530e91

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:59

Target

xiezai.exe
Size

40KB
MD5

1896b0d7caae95ccffc41e8fab6ae088
SHA1

44850e98a146be40086eed7aa71b352b2f67354d
SHA256

8f797add4e857820016f6fff5b8d99d6b95a48ce6225a963a7dcbaa5fd3bf0e4
SHA512

c543cfe89a02379758d524fa24b846b55435414484c037a3291dc8850ef88881eae59569ed94b40df838bb5adb7676cc46b39a71e455e2f5a1d35bc5fa8e3de2
SSDEEP

768:3PH4rKS4GDkQBZ3ImWlTtEIRlJ+qFZ2bSgJzANqM3wJJNnRvOX+C/////2XRL:3f4exGDkeZ4mOoSgJEAJJhod/////2Xh

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2764	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral24/files/0x0007000000023535-3.dat	nsis_installer_1
behavioral24/files/0x0007000000023535-3.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	Au_.exe
2764	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2764	4248	xiezai.exe	84
PID 4248 wrote to memory of 2764	4248	xiezai.exe	84
PID 4248 wrote to memory of 2764	4248	xiezai.exe	84

C:\Users\Admin\AppData\Local\Temp\xiezai.exe
"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsyB631.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
40KB

MD5
1896b0d7caae95ccffc41e8fab6ae088

SHA1
44850e98a146be40086eed7aa71b352b2f67354d

SHA256
8f797add4e857820016f6fff5b8d99d6b95a48ce6225a963a7dcbaa5fd3bf0e4

SHA512
c543cfe89a02379758d524fa24b846b55435414484c037a3291dc8850ef88881eae59569ed94b40df838bb5adb7676cc46b39a71e455e2f5a1d35bc5fa8e3de2

Download Submit
memory/2764-10-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download