0113d751d6fae6c2bd30212658ced172a5196ba6e95d14dc653042292febef8c

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c739a75f0bab15342d19de2b8420d0N.exe
Size

36KB
MD5

85c739a75f0bab15342d19de2b8420d0
SHA1

238993d4b5a6e687e2de92ad130bbe3948913129
SHA256

0113d751d6fae6c2bd30212658ced172a5196ba6e95d14dc653042292febef8c
SHA512

fded27abb8b218acff0d9c1fe3b73c743c3945a3d0ea5c29fa8f4116aea225a066f98ccd671103d94ce205569dfe2d52a375fa05567066ab433b9c7ac5ec5117
SSDEEP

768:Jmao9Gg4IZq1B6GnbcuyD7Uvu5RRYTnmeyZHJf0qW46DgGTrj9qWHx3SU:+Gg1c1QGnouy8vu5nYjmLJJcfpj9qWHE

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1648	48A4.tmp

Loads dropped DLL 2 IoCs

pid	Process
2552	85c739a75f0bab15342d19de2b8420d0N.exe
2552	85c739a75f0bab15342d19de2b8420d0N.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2552-52-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1648	2552	85c739a75f0bab15342d19de2b8420d0N.exe	29
PID 2552 wrote to memory of 1648	2552	85c739a75f0bab15342d19de2b8420d0N.exe	29
PID 2552 wrote to memory of 1648	2552	85c739a75f0bab15342d19de2b8420d0N.exe	29
PID 2552 wrote to memory of 1648	2552	85c739a75f0bab15342d19de2b8420d0N.exe	29
PID 1648 wrote to memory of 2992	1648	48A4.tmp	30
PID 1648 wrote to memory of 2992	1648	48A4.tmp	30
PID 1648 wrote to memory of 2992	1648	48A4.tmp	30
PID 1648 wrote to memory of 2992	1648	48A4.tmp	30
PID 1648 wrote to memory of 2872	1648	48A4.tmp	32
PID 1648 wrote to memory of 2872	1648	48A4.tmp	32
PID 1648 wrote to memory of 2872	1648	48A4.tmp	32
PID 1648 wrote to memory of 2872	1648	48A4.tmp	32

C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe
"C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\48A4.tmp
  C:\Users\Admin\AppData\Local\Temp\48A4.tmp C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
    3⤵
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48A4.tmp

Filesize
13KB

MD5
c798b425570b6b375bee7a6898197e99

SHA1
ac53c57da4bd29bf0595bc6458204d307ad6a2de

SHA256
2cd3df9fd104d21ddfb298cb008410369ba0827d71f046f4d0abc0306ba34662

SHA512
7c1c7ace9b777df5f937daba3f2e043044db75d767d2ca8999668cb0fb0c1a7c8e98d1af024e12b7243225f38a95040427764348ee58a23c63a2696398adf3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
191B

MD5
63224d4cf6405631b7bb89f67ab217a6

SHA1
b958e549efffb0aca78e758f2e48544da9e55845

SHA256
9105e418064105d75671f37341195c33feeb8ae9b45cffd949453ec27761b1ad

SHA512
608d1a7478c974205fa6a5b54ac6eb29384203dd73e06417bf92048b63d5fbc76f706f5f88d1690264c7c9ac7021fb475ceacb0f5098a6bcd331e75bdd5cae96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
104B

MD5
2d5c4250c2b4ca7e73bfc96370886e13

SHA1
afdf4f1172dba4ebe72a65de791f09de0655cc6b

SHA256
79a24b93b52242f480801815d26db13af9a691b250778b07e00a156d7a0303db

SHA512
be72c4a60f90177bcb41c21d02bb84405895e5acda94c2e3f5c404f2cd0c4ec86bc82f8631f48b47e003e2990540b78b66f58d907caccf21e781dbddb6e68b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
memory/1648-50-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2552-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2552-9-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2552-4-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2552-52-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2992-32-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download