Analysis
-
max time kernel
161s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe
Resource
win10v2004-20220901-en
General
-
Target
88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe
-
Size
223KB
-
MD5
96d2bbb2a6cfc4084faab5b8e1d178e7
-
SHA1
8656d5e3e8ec75b521644adfb547d21e3649adb0
-
SHA256
88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286
-
SHA512
5b2fa78c5fa21e4b65b175807e7fc796e0bf36d605ed64dc33df568c089bd8798b98b8f5d62817a84346f214f17f5dbf75841b5647096c386cad855d8ba10a1a
-
SSDEEP
3072:DiLKyQfK9q21faTfTc+wcHTUxWp/rvuFoiHeO0SSC4z95j3frYeFvi/8jyKV9Vce:KKyQfK9XZIcv0yFtS953YUvKSy4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1928 Ebiwaa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run Ebiwaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMH2B46TDP = "C:\\Windows\\Ebiwaa.exe" Ebiwaa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe File created C:\Windows\Ebiwaa.exe 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe File opened for modification C:\Windows\Ebiwaa.exe 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main Ebiwaa.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International Ebiwaa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe 1928 Ebiwaa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1928 Ebiwaa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1928 1952 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe 28 PID 1952 wrote to memory of 1928 1952 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe 28 PID 1952 wrote to memory of 1928 1952 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe 28 PID 1952 wrote to memory of 1928 1952 88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe"C:\Users\Admin\AppData\Local\Temp\88c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\Ebiwaa.exeC:\Windows\Ebiwaa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD596d2bbb2a6cfc4084faab5b8e1d178e7
SHA18656d5e3e8ec75b521644adfb547d21e3649adb0
SHA25688c9b21095a57cce75d878f2cbc458196402f0bcc70ebeb6a975469db592b286
SHA5125b2fa78c5fa21e4b65b175807e7fc796e0bf36d605ed64dc33df568c089bd8798b98b8f5d62817a84346f214f17f5dbf75841b5647096c386cad855d8ba10a1a
-
Filesize
408B
MD506421b775c8be1ddccb4a6a9be528d22
SHA194c5e94ae28d454132d715fc6cbdae1402cb8421
SHA2563af4a66ca58176ec358c6338b6496ecdb222f864b85014f7b8f3fe3c1632cefd
SHA512c053709d655709b629a885243728f058f037436f79bcfc175bc83724af5093d61965898847754ccb4ee22ec07e7d1539b2d5dd8a27ab94c464ad13a7f05b2bd0