c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe
Size

280KB
MD5

0d6389151fef2a12eb1f8550c9ee1e04
SHA1

1d2d3f9f319ba23311d5bd5ba0e01103d23ef53f
SHA256

c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012
SHA512

9cf28edfc1fb591d17c4e9f27d1efbef4b3ec55e50bfb72ff7f24560a022b2291656a5804cdfc3808ebb8ee0a31993433aac2bc578b560415da9432d7c7954c7
SSDEEP

3072:CO+fEMt+5oqmcrQ3XMzkJJXIiMjJJeHGqONtjlTsuZft:CO+fEO6mxd7yyHGJZwuZl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1104	yyyfla.exe

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	cmd.exe
1956	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2024	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1956	1148	c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe	27
PID 1148 wrote to memory of 1956	1148	c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe	27
PID 1148 wrote to memory of 1956	1148	c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe	27
PID 1148 wrote to memory of 1956	1148	c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe	27
PID 1956 wrote to memory of 1104	1956	cmd.exe	29
PID 1956 wrote to memory of 1104	1956	cmd.exe	29
PID 1956 wrote to memory of 1104	1956	cmd.exe	29
PID 1956 wrote to memory of 1104	1956	cmd.exe	29
PID 1956 wrote to memory of 2024	1956	cmd.exe	30
PID 1956 wrote to memory of 2024	1956	cmd.exe	30
PID 1956 wrote to memory of 2024	1956	cmd.exe	30
PID 1956 wrote to memory of 2024	1956	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe
"C:\Users\Admin\AppData\Local\Temp\c35da5b4a94e3a913b6e262ee2a4b86970e4c1ca6f39ca7f682e7b8767827012.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\mczkoub.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\yyyfla.exe
    "C:\Users\Admin\AppData\Local\Temp\yyyfla.exe"
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mczkoub.bat

Filesize
124B

MD5
862408f84bfe7a0f28bb4aa26c8d465b

SHA1
625c6189c3d52e17a77acb5ca30f02240f4386f4

SHA256
a39c29a26c5f59f6622f9ce549aac7dc2ba0332de3cdb13ca45e79a5ba732a62

SHA512
df9cc02e24e7cca5150fccdab3f784680b36214acdc16acbcadfc118698fb8657255865c8b9b008146f4967fbf30c586892af12a6329b548d23f3a256f42c0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vagwtw.bat

Filesize
188B

MD5
b069e918ce57a36f5c4728d61ddffd02

SHA1
f1a8183e09172c5e9749322bef086f63aded53fc

SHA256
e813d7ccc6ac942c60f1e55dcea4ddc7fefd54a0afc48f94ef36e1362346aba6

SHA512
d916848c3fde6ad623438e5ddf5c0c60da743c6bea424aeb51a17c6f12181ef85ba7d00db1316df2ce1d95805e85597c646f12f197dca04ebd67a1e31055e0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyyfla.exe

Filesize
180KB

MD5
7f42d1a7b00572066673f28f4f628c70

SHA1
2468932c4b073eb8d871e8e5b7fa0b3c2873be60

SHA256
433f18469827fd40c8789a12e035127a62e9cea9925668c9a347ad3c669be8dd

SHA512
f1d873d6bf6f6cbf1a085c8d8b8928bd4d2e01e0b3f888976d752994123fc6a3514f10b66997c5a284cf1eb55c4867d2a20a3b7a34e175f20fc7e8b69442e542

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyyfla.exe

Filesize
180KB

MD5
7f42d1a7b00572066673f28f4f628c70

SHA1
2468932c4b073eb8d871e8e5b7fa0b3c2873be60

SHA256
433f18469827fd40c8789a12e035127a62e9cea9925668c9a347ad3c669be8dd

SHA512
f1d873d6bf6f6cbf1a085c8d8b8928bd4d2e01e0b3f888976d752994123fc6a3514f10b66997c5a284cf1eb55c4867d2a20a3b7a34e175f20fc7e8b69442e542

Download Submit
\Users\Admin\AppData\Local\Temp\yyyfla.exe

Filesize
180KB

MD5
7f42d1a7b00572066673f28f4f628c70

SHA1
2468932c4b073eb8d871e8e5b7fa0b3c2873be60

SHA256
433f18469827fd40c8789a12e035127a62e9cea9925668c9a347ad3c669be8dd

SHA512
f1d873d6bf6f6cbf1a085c8d8b8928bd4d2e01e0b3f888976d752994123fc6a3514f10b66997c5a284cf1eb55c4867d2a20a3b7a34e175f20fc7e8b69442e542

Download Submit
\Users\Admin\AppData\Local\Temp\yyyfla.exe

Filesize
180KB

MD5
7f42d1a7b00572066673f28f4f628c70

SHA1
2468932c4b073eb8d871e8e5b7fa0b3c2873be60

SHA256
433f18469827fd40c8789a12e035127a62e9cea9925668c9a347ad3c669be8dd

SHA512
f1d873d6bf6f6cbf1a085c8d8b8928bd4d2e01e0b3f888976d752994123fc6a3514f10b66997c5a284cf1eb55c4867d2a20a3b7a34e175f20fc7e8b69442e542

Download Submit
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download