e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7

Analysis

max time kernel
22s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
Size

320KB
MD5

a215b4c13d637d8e3432e012101bedc0
SHA1

0bee171a83448ef6a7d98320dc89aa76b0f9cc49
SHA256

e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7
SHA512

132801e15cd9c4aa71510bf67c24705fd2c56b8b1d9a9eb1e8989a6e9f248af0e2c2a60c20f87e88233fff0181e48c8da8e3ba95d96bd63bd7f9b46ee259bec4
SSDEEP

3072:lnYiFXctfZoPWML/9qB/MWXPw1/6leXpz8xvQCKljTsuZfu:lYiFXOjg9qVvPBleXN8mVwuZ2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	rlkhsa.exe

Deletes itself 1 IoCs

pid	Process
912	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
912	cmd.exe
912	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1184	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 912	836	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	27
PID 836 wrote to memory of 912	836	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	27
PID 836 wrote to memory of 912	836	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	27
PID 836 wrote to memory of 912	836	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	27
PID 912 wrote to memory of 1736	912	cmd.exe	29
PID 912 wrote to memory of 1736	912	cmd.exe	29
PID 912 wrote to memory of 1736	912	cmd.exe	29
PID 912 wrote to memory of 1736	912	cmd.exe	29
PID 912 wrote to memory of 1184	912	cmd.exe	30
PID 912 wrote to memory of 1184	912	cmd.exe	30
PID 912 wrote to memory of 1184	912	cmd.exe	30
PID 912 wrote to memory of 1184	912	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
"C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\mhyqvfe.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\rlkhsa.exe
    "C:\Users\Admin\AppData\Local\Temp\rlkhsa.exe"
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cxaqla.bat

Filesize
188B

MD5
ec33e97ffbd10f662beaa4b16d9d9a2b

SHA1
087790fcec8badd11a1ae93de1c5f8568369042d

SHA256
d940a7ca429f2b08fd4286c1585e6c0189ff0092739d0402298fefdd6eba0bd8

SHA512
3305e25f66929565aaaef68fc5791f210f9b050e5c3f8701f9c2fb809f203d6de964415c9b348b12918fa234635beac5578ab4e6027e1276b637a9c2e47e5fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhyqvfe.bat

Filesize
124B

MD5
bc378c74ccf707e1af309e86677c2874

SHA1
f2528d13fbae1b1f9e6dd7e43ea299585e504311

SHA256
064afd31c8f0b4e5e061d876689f069ea09e6dc84faeee15fcc63d936ecbac74

SHA512
444fe2e2e089d6a8b4d3bbd90f9811910beafb5605876faa61f5064a9baf3253985a5a5833405a148bc1d65d7db371c5683b29d2182fdd71ff2c234429a9d0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlkhsa.exe

Filesize
184KB

MD5
d2f434f66d1dea084c3f9be14e56ce7b

SHA1
4fa88618b13e9f6d3328a1ee2cb7617bfbd5414d

SHA256
63478a8bb84957d7ba8462e22bcad2f0eeaf9b11735898997dff34a367c54ba5

SHA512
3710bc8d48581751e3548874e079047ce51283096c7358597e5eaf496b7c09d0f647801f0b6f2f6a05a47314a17b292ad4c5b9974bd53b447ea9e178f3f5c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlkhsa.exe

Filesize
184KB

MD5
d2f434f66d1dea084c3f9be14e56ce7b

SHA1
4fa88618b13e9f6d3328a1ee2cb7617bfbd5414d

SHA256
63478a8bb84957d7ba8462e22bcad2f0eeaf9b11735898997dff34a367c54ba5

SHA512
3710bc8d48581751e3548874e079047ce51283096c7358597e5eaf496b7c09d0f647801f0b6f2f6a05a47314a17b292ad4c5b9974bd53b447ea9e178f3f5c400

Download Submit
\Users\Admin\AppData\Local\Temp\rlkhsa.exe

Filesize
184KB

MD5
d2f434f66d1dea084c3f9be14e56ce7b

SHA1
4fa88618b13e9f6d3328a1ee2cb7617bfbd5414d

SHA256
63478a8bb84957d7ba8462e22bcad2f0eeaf9b11735898997dff34a367c54ba5

SHA512
3710bc8d48581751e3548874e079047ce51283096c7358597e5eaf496b7c09d0f647801f0b6f2f6a05a47314a17b292ad4c5b9974bd53b447ea9e178f3f5c400

Download Submit
\Users\Admin\AppData\Local\Temp\rlkhsa.exe

Filesize
184KB

MD5
d2f434f66d1dea084c3f9be14e56ce7b

SHA1
4fa88618b13e9f6d3328a1ee2cb7617bfbd5414d

SHA256
63478a8bb84957d7ba8462e22bcad2f0eeaf9b11735898997dff34a367c54ba5

SHA512
3710bc8d48581751e3548874e079047ce51283096c7358597e5eaf496b7c09d0f647801f0b6f2f6a05a47314a17b292ad4c5b9974bd53b447ea9e178f3f5c400

Download Submit
memory/836-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download