Analysis
-
max time kernel
147s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
09-10-2022 06:00
General
-
Target
Detail's for Shipping...exe
-
Size
777KB
-
MD5
655733a8c4475a2d82527b049f66c335
-
SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb
-
SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
-
SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
SSDEEP
12288:6PnWqhxJu3T26ZqyZtLa+sw07DZcuayiZ7t5h:GnWExk3Fq407DUV
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DDC4AC88-2238-4243-BFB0-54127E55A503} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exeC:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exeC:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5655733a8c4475a2d82527b049f66c335
SHA19736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA5128d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
Filesize
777KB
MD5655733a8c4475a2d82527b049f66c335
SHA19736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA5128d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
Filesize
777KB
MD5655733a8c4475a2d82527b049f66c335
SHA19736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA5128d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
Filesize
777KB
MD5655733a8c4475a2d82527b049f66c335
SHA19736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA5128d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
Filesize
777KB
MD5655733a8c4475a2d82527b049f66c335
SHA19736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA5128d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
-
Filesize
800KB
-
Filesize
800KB
-
Filesize
8KB
-
Filesize
800KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB