a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 19:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe
Size

284KB
MD5

826d649c07d1f20fd27c233667d6c588
SHA1

4ab1ea3f4b6ebcc04416068ef0fa500982822cb8
SHA256

a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014
SHA512

daf4d1294db7d7ef4cb405e251d1c87b037de430d9a1860f88660ac7039801d217f89a409aa7313ffeb28a330bd15717b012de324a519e302a4a49cf1aa95556
SSDEEP

3072:amSenceAA5otaeyURLLls42llNaiLzekJtSiSPRgXZTsuZfe:amSenBAmezRls42lvCk+iSPRgpwuZW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1612	pxpwuo.exe

Deletes itself 1 IoCs

pid	Process
928	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
928	cmd.exe
928	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
816	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 928	1000	a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe	27
PID 1000 wrote to memory of 928	1000	a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe	27
PID 1000 wrote to memory of 928	1000	a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe	27
PID 1000 wrote to memory of 928	1000	a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe	27
PID 928 wrote to memory of 1612	928	cmd.exe	29
PID 928 wrote to memory of 1612	928	cmd.exe	29
PID 928 wrote to memory of 1612	928	cmd.exe	29
PID 928 wrote to memory of 1612	928	cmd.exe	29
PID 928 wrote to memory of 816	928	cmd.exe	30
PID 928 wrote to memory of 816	928	cmd.exe	30
PID 928 wrote to memory of 816	928	cmd.exe	30
PID 928 wrote to memory of 816	928	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe
"C:\Users\Admin\AppData\Local\Temp\a3b82eefa2255e02b4adcefa080a4ceebe5142aa1f02a2c9f7b568257c48e014.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\kujsxpo.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\pxpwuo.exe
    "C:\Users\Admin\AppData\Local\Temp\pxpwuo.exe"
    3⤵
    - Executes dropped EXE
    PID:1612
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kujsxpo.bat

Filesize
124B

MD5
d187a4542a2cdf6a857e8e492ca30418

SHA1
c6d889e3017c50e285c48249683d2a8065d0681b

SHA256
f7ea09dd23f5f3d13b32315b583b20be2e7bf9e58363fb744824466cef3417a7

SHA512
681629190db4f459e45f103ca41c1fca127adad8517d1022cf302284f38a7e12a65ad5ff2c4b59c06ed4b8f72ec565f9dded569f8c156ad083fb3cc601185f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxpwuo.exe

Filesize
184KB

MD5
dfb7fe60aefcdf599fa666d2a26cbb18

SHA1
95105422ee2d2ee7a744fcb5bbd88de62c5ad1c0

SHA256
6127536fe4db91c1c732001235e2486e71f9c558059735a325572ca6a41107db

SHA512
664766ab9f9fc6caa31b4efa314ca14e89573020232e172053bbc4545fa77d9af144159d9f4f95bd61d84340381a7a015d7d015e57ffab4dcb7626873887135a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxpwuo.exe

Filesize
184KB

MD5
dfb7fe60aefcdf599fa666d2a26cbb18

SHA1
95105422ee2d2ee7a744fcb5bbd88de62c5ad1c0

SHA256
6127536fe4db91c1c732001235e2486e71f9c558059735a325572ca6a41107db

SHA512
664766ab9f9fc6caa31b4efa314ca14e89573020232e172053bbc4545fa77d9af144159d9f4f95bd61d84340381a7a015d7d015e57ffab4dcb7626873887135a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxksur.bat

Filesize
188B

MD5
6117710d9f8dfd7ed64f247f5b7d4268

SHA1
4b93adc6264af975a0ab7eb32873047de3d6d3f8

SHA256
6aba23733a616c4df4a3489f159dd342fa57f726e38e6eb06c9cdb4bde0015cc

SHA512
292c393eaf2abf1a09422f2dd3320d64dfddf2fc0e65a18438f9a5a0a46d132edfac851e06363293954ca6aae4c9c3466423be49aca41c22236bd4a67b933054

Download Submit
\Users\Admin\AppData\Local\Temp\pxpwuo.exe

Filesize
184KB

MD5
dfb7fe60aefcdf599fa666d2a26cbb18

SHA1
95105422ee2d2ee7a744fcb5bbd88de62c5ad1c0

SHA256
6127536fe4db91c1c732001235e2486e71f9c558059735a325572ca6a41107db

SHA512
664766ab9f9fc6caa31b4efa314ca14e89573020232e172053bbc4545fa77d9af144159d9f4f95bd61d84340381a7a015d7d015e57ffab4dcb7626873887135a

Download Submit
\Users\Admin\AppData\Local\Temp\pxpwuo.exe

Filesize
184KB

MD5
dfb7fe60aefcdf599fa666d2a26cbb18

SHA1
95105422ee2d2ee7a744fcb5bbd88de62c5ad1c0

SHA256
6127536fe4db91c1c732001235e2486e71f9c558059735a325572ca6a41107db

SHA512
664766ab9f9fc6caa31b4efa314ca14e89573020232e172053bbc4545fa77d9af144159d9f4f95bd61d84340381a7a015d7d015e57ffab4dcb7626873887135a

Download Submit
memory/1000-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download