dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe
Size

280KB
MD5

936b4a907641f905700a8f5706baada9
SHA1

6710c974588b0ddd267a1822f15c4680ced3428d
SHA256

dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052
SHA512

6014e92e261689dc8364b45dcb272b1ff5498efae732feb898c87dfe6cc5c227d90645bc324ee2dd349081d7aae267d86beabee586e485bbb3c83101bb730249
SSDEEP

3072:hOOfUMMe5oMDQ8Xxh2VDcAqC4/RmCR/hHxAuVhUrv5R+RTsuZfp:hOOfUn8Dgq1ZmCVhHuuSh4RwuZx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	jlqwsj.exe

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	cmd.exe
2012	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
884	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2012	1292	dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe	27
PID 1292 wrote to memory of 2012	1292	dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe	27
PID 1292 wrote to memory of 2012	1292	dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe	27
PID 1292 wrote to memory of 2012	1292	dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe	27
PID 2012 wrote to memory of 2028	2012	cmd.exe	29
PID 2012 wrote to memory of 2028	2012	cmd.exe	29
PID 2012 wrote to memory of 2028	2012	cmd.exe	29
PID 2012 wrote to memory of 2028	2012	cmd.exe	29
PID 2012 wrote to memory of 884	2012	cmd.exe	30
PID 2012 wrote to memory of 884	2012	cmd.exe	30
PID 2012 wrote to memory of 884	2012	cmd.exe	30
PID 2012 wrote to memory of 884	2012	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe
"C:\Users\Admin\AppData\Local\Temp\dc36d62a7725f9c1cf6ddc9d3522c35693dba2be9d7ae9692fbd736b55994052.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\hsuahun.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\jlqwsj.exe
    "C:\Users\Admin\AppData\Local\Temp\jlqwsj.exe"
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fadolf.bat

Filesize
188B

MD5
a0c58eed68a91b1a565dccf48e4d92f4

SHA1
ea26e1c6971fb866243272878b50d3c4cf7c495b

SHA256
21a49022810538f477a04c81d07d7927756f5fbc7ac2515c04b499c8674963f1

SHA512
e96c3fe4af48258a1dad848db2257eac7ecabcbd22ec5d46e878d13e95a0671a0a7d8e1a0b9f47fdb187162345e79d8f098e9371e72bfa5ad3ef316f30b91cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsuahun.bat

Filesize
124B

MD5
1562ac41bcc747adddc9b9495c1c1927

SHA1
5fa3e11a526b8749522b30af7a0dc86e21e3cf5e

SHA256
0a2fa1a980ca569a23e56417203c98db6dcdee81d827729753e5040a13705aa3

SHA512
5fd4b627d7f9dc6f03ddb2fdd13936b7641a1f7eb0877f236e1f83f2872e3316106b357f970cdc77bd527c62d84b1dd5b6f9081a3ac1c00ed2d8740ac4822a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlqwsj.exe

Filesize
180KB

MD5
1fe0b7364cf76dea03a7274e5e5fc3c5

SHA1
b98b678063f800172fe2e5a952b91355c6813252

SHA256
3b9015caeb92f1d7ef3a7d80ca9723a0a74724995af71db4a6bfd1e372cc3d16

SHA512
d14617a2c36c6ee7be544d112d166d31ae428851a3f4c2dc76c26ec867a4ee6a469ddd1c6cf3489b362766b8fdc40bda0668dcc07840487391ecfcae0a67f6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlqwsj.exe

Filesize
180KB

MD5
1fe0b7364cf76dea03a7274e5e5fc3c5

SHA1
b98b678063f800172fe2e5a952b91355c6813252

SHA256
3b9015caeb92f1d7ef3a7d80ca9723a0a74724995af71db4a6bfd1e372cc3d16

SHA512
d14617a2c36c6ee7be544d112d166d31ae428851a3f4c2dc76c26ec867a4ee6a469ddd1c6cf3489b362766b8fdc40bda0668dcc07840487391ecfcae0a67f6b1

Download Submit
\Users\Admin\AppData\Local\Temp\jlqwsj.exe

Filesize
180KB

MD5
1fe0b7364cf76dea03a7274e5e5fc3c5

SHA1
b98b678063f800172fe2e5a952b91355c6813252

SHA256
3b9015caeb92f1d7ef3a7d80ca9723a0a74724995af71db4a6bfd1e372cc3d16

SHA512
d14617a2c36c6ee7be544d112d166d31ae428851a3f4c2dc76c26ec867a4ee6a469ddd1c6cf3489b362766b8fdc40bda0668dcc07840487391ecfcae0a67f6b1

Download Submit
\Users\Admin\AppData\Local\Temp\jlqwsj.exe

Filesize
180KB

MD5
1fe0b7364cf76dea03a7274e5e5fc3c5

SHA1
b98b678063f800172fe2e5a952b91355c6813252

SHA256
3b9015caeb92f1d7ef3a7d80ca9723a0a74724995af71db4a6bfd1e372cc3d16

SHA512
d14617a2c36c6ee7be544d112d166d31ae428851a3f4c2dc76c26ec867a4ee6a469ddd1c6cf3489b362766b8fdc40bda0668dcc07840487391ecfcae0a67f6b1

Download Submit
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download