2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809

Analysis

max time kernel
47s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 16:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe
Size

320KB
MD5

6aec9218c1f503e8263c7759b1dacc2a
SHA1

d6eec998ff7b886f6bccd41213456dcbca9f1edb
SHA256

2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809
SHA512

9a0ff9c49203867a9ca69f615c8019c3e73d9c35d4df7516d33b0b451a0b41cc87b83c9814bf159b2333e1ad8344b2bc5471f752542185b9e93b57c342e02546
SSDEEP

6144:5B8Xfd10VXq+BhO+6VCnvfoJW/IUu5o55zTEi9RG/3vwuZDn:kXfd10I+BhO+6VCnvfoJ2IUu5sl98vvZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	osbwbi.exe

Deletes itself 1 IoCs

pid	Process
1436	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1436	cmd.exe
1436	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1984	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1436	1112	2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe	28
PID 1112 wrote to memory of 1436	1112	2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe	28
PID 1112 wrote to memory of 1436	1112	2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe	28
PID 1112 wrote to memory of 1436	1112	2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe	28
PID 1436 wrote to memory of 2040	1436	cmd.exe	30
PID 1436 wrote to memory of 2040	1436	cmd.exe	30
PID 1436 wrote to memory of 2040	1436	cmd.exe	30
PID 1436 wrote to memory of 2040	1436	cmd.exe	30
PID 1436 wrote to memory of 1984	1436	cmd.exe	31
PID 1436 wrote to memory of 1984	1436	cmd.exe	31
PID 1436 wrote to memory of 1984	1436	cmd.exe	31
PID 1436 wrote to memory of 1984	1436	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe
"C:\Users\Admin\AppData\Local\Temp\2c132e0f538f505861c83946b7d08ef68ac1b69f27b88f5eea194727d300c809.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\iadufll.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\osbwbi.exe
    "C:\Users\Admin\AppData\Local\Temp\osbwbi.exe"
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iadufll.bat

Filesize
124B

MD5
a24d5ac90af0f631242e84314a1413ff

SHA1
c9c233aba42e45fb73c086b18a0f7cb0ecfb6c8e

SHA256
ae3377808abfc177ccc4575a504584b5c5094a3a25833ea15febf28b5329d57e

SHA512
2499b1ab53fd3f98cdedf0ebaa820a8e28ed134326b4d7dd2deff8895b5c88e78b2f777f135e0f5bebbf6772600d37016c3cc6ff70caa3efb26c37c6412106d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\osbwbi.exe

Filesize
184KB

MD5
7daaace9cb5a2eb24be53a55202002b6

SHA1
c72125376123e1c33afd56618271c0c337682fd4

SHA256
fb6c200f571161bb1193e90d8960e41662d5b3503ec14febb7b3a7002660d705

SHA512
d056e370226c1f531d9532167aa324c7d1bde2f8f3833ba59eb4756528682338a63633150f20fa63333947d3c3f99bd03e20d495d11150eae7d4c2c457cdce18

Download Submit
C:\Users\Admin\AppData\Local\Temp\osbwbi.exe

Filesize
184KB

MD5
7daaace9cb5a2eb24be53a55202002b6

SHA1
c72125376123e1c33afd56618271c0c337682fd4

SHA256
fb6c200f571161bb1193e90d8960e41662d5b3503ec14febb7b3a7002660d705

SHA512
d056e370226c1f531d9532167aa324c7d1bde2f8f3833ba59eb4756528682338a63633150f20fa63333947d3c3f99bd03e20d495d11150eae7d4c2c457cdce18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwowt.bat

Filesize
188B

MD5
595460f38904d8d02072b2bf532e8bc3

SHA1
c69c581c0833f6f249663fad6e1bed0e8a312c8f

SHA256
f56ad817ccf1542c22c18d733255b67fe31fcec18b92a7238a00b4a02d45ef9a

SHA512
7f1b21294d972c4d40877ce56be6feee3a49e89487633db11ea29c4b7bade764920412cad41f1711b8a204cd4e44f27cfd9da05ad88d1a0893b6beadd800a2e1

Download Submit
\Users\Admin\AppData\Local\Temp\osbwbi.exe

Filesize
184KB

MD5
7daaace9cb5a2eb24be53a55202002b6

SHA1
c72125376123e1c33afd56618271c0c337682fd4

SHA256
fb6c200f571161bb1193e90d8960e41662d5b3503ec14febb7b3a7002660d705

SHA512
d056e370226c1f531d9532167aa324c7d1bde2f8f3833ba59eb4756528682338a63633150f20fa63333947d3c3f99bd03e20d495d11150eae7d4c2c457cdce18

Download Submit
\Users\Admin\AppData\Local\Temp\osbwbi.exe

Filesize
184KB

MD5
7daaace9cb5a2eb24be53a55202002b6

SHA1
c72125376123e1c33afd56618271c0c337682fd4

SHA256
fb6c200f571161bb1193e90d8960e41662d5b3503ec14febb7b3a7002660d705

SHA512
d056e370226c1f531d9532167aa324c7d1bde2f8f3833ba59eb4756528682338a63633150f20fa63333947d3c3f99bd03e20d495d11150eae7d4c2c457cdce18

Download Submit
memory/1112-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download