4197b1c37e1d7ccb4faeb4abf390d17010122f4254b9836a100c527f750c5f98

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Impossible.exe
Size

9KB
MD5

8da1df08c3ab2e08c0bb87db588c66f6
SHA1

0f2f8b063681e177b76a6095b0bd8ce9ff2e22ae
SHA256

4197b1c37e1d7ccb4faeb4abf390d17010122f4254b9836a100c527f750c5f98
SHA512

91f4f81cd3620fd125a3f60ee7eacbd4d7ef875e94a6431edb20d9af6e5d6f2952760bd454cb5ce959fdab1046e2750fd23b1d9543a931ab721277eda91c4b0a
SSDEEP

192:go0m88aHVua5rD5sUiaFaNJhLkwcud2DH9VwGfct1S:T0m1a5pE+aNJawcudoD7UO

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
3060	Impossible.exe
3060	Impossible.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/3060-12-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	2984	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Impossible.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2848	AUDIODG.EXE
Token: 33	2848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2848	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2984	3060	Impossible.exe	29
PID 3060 wrote to memory of 2984	3060	Impossible.exe	29
PID 3060 wrote to memory of 2984	3060	Impossible.exe	29
PID 3060 wrote to memory of 2984	3060	Impossible.exe	29
PID 2984 wrote to memory of 2796	2984	b2e.exe	30
PID 2984 wrote to memory of 2796	2984	b2e.exe	30
PID 2984 wrote to memory of 2796	2984	b2e.exe	30
PID 2984 wrote to memory of 2796	2984	b2e.exe	30

C:\Users\Admin\AppData\Local\Temp\Impossible.exe
"C:\Users\Admin\AppData\Local\Temp\Impossible.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\F882.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F882.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F882.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\Impossible.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2796

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\F882.tmp\b2e.exe

Filesize
18KB

MD5
ba0d217ac2ac7883223a4c8536a72c04

SHA1
f2fb3ebd3fdc287d06e0a85165d76c249bcf2c0a

SHA256
631c3f11b7823c5ee1fdc1a97a37135735306216fad43a98dfae966988c569bd

SHA512
0fc6885c270e2ecb82163f0b833835d8c1a1ef883ec28c654396ab72cbc48b056a362d612af9184d7a0446c3a262f603bcfeb822bdb1ba636bda17039bfe44c9

Download Submit
memory/2984-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-10-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/3060-9-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/3060-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download