Analysis

  • max time kernel
    43s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 15:32

General

  • Target

    38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe

  • Size

    7.4MB

  • MD5

    f9979595efc23fea996af22697f45b9b

  • SHA1

    bd00911878eb1fa2e21627b140bd108085b1250b

  • SHA256

    38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1

  • SHA512

    ccec79b2159cd6a765c52e4be0bfe0016012338c6c0f6380cfe931ed312dd915cdb32cff9c0724760ed67144a886df33f8815829e3f6bb60ba32b47a7c6b9ec6

  • SSDEEP

    196608:BW+fWD0RWkarZa3VUpIv22HvXgWpWw1XoUh9jiAxK:BW+xorx2PrWfaxK

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe
    "C:\Users\Admin\AppData\Local\Temp\38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE
      2⤵
      • Executes dropped EXE
      PID:1376

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE

    Filesize

    7.6MB

    MD5

    a8407593072cfabb83410f2f06fa8b61

    SHA1

    9dcb2e9de75204a4361036cdd194d2775b0b4b26

    SHA256

    28d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e

    SHA512

    df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE

    Filesize

    7.6MB

    MD5

    a8407593072cfabb83410f2f06fa8b61

    SHA1

    9dcb2e9de75204a4361036cdd194d2775b0b4b26

    SHA256

    28d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e

    SHA512

    df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE

    Filesize

    7.6MB

    MD5

    a8407593072cfabb83410f2f06fa8b61

    SHA1

    9dcb2e9de75204a4361036cdd194d2775b0b4b26

    SHA256

    28d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e

    SHA512

    df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE

    Filesize

    7.6MB

    MD5

    a8407593072cfabb83410f2f06fa8b61

    SHA1

    9dcb2e9de75204a4361036cdd194d2775b0b4b26

    SHA256

    28d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e

    SHA512

    df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

    Filesize

    152KB

    MD5

    cb9c7d959ef41b3fc2f9cffd08ec5aa1

    SHA1

    d43d9c54eadb0fc183546ff4a1fea4e789c9d061

    SHA256

    f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f

    SHA512

    1aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c

  • memory/992-71-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/992-66-0x0000000000401768-mapping.dmp

  • memory/992-65-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/992-63-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/992-61-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/992-60-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/992-78-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/1376-74-0x0000000000000000-mapping.dmp

  • memory/1376-76-0x0000000075B51000-0x0000000075B53000-memory.dmp

    Filesize

    8KB

  • memory/1528-56-0x0000000000000000-mapping.dmp