03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b

Analysis

max time kernel
176s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe
Size

280KB
MD5

40c00c790cccf9200cfec9d269c1d696
SHA1

f14a059001bcad3f2165fa8f6a2bad75d2d1e906
SHA256

03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b
SHA512

e57a85ef43def7de6ec263dcf13fd764557a34ce9120c14d16cff5bc4bae30add81e0102aba99648be82defabec05c12f196807eff6b3db63b094ac08f5e12cc
SSDEEP

6144:y+OYf9C2K55pUV9pZF/vWibGzI9bswuZR0:yiC2K55pW/Z5f6U9swCu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qbxbhw.exe

pid process

4164 qbxbhw.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4432 PING.EXE

pid	process
4164	qbxbhw.exe

pid	process
4432	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.execmd.exe

description	pid	process	target process
PID 2328 wrote to memory of 1628	2328	03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe	cmd.exe
PID 2328 wrote to memory of 1628	2328	03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe	cmd.exe
PID 2328 wrote to memory of 1628	2328	03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe	cmd.exe
PID 1628 wrote to memory of 4164	1628	cmd.exe	qbxbhw.exe
PID 1628 wrote to memory of 4164	1628	cmd.exe	qbxbhw.exe
PID 1628 wrote to memory of 4164	1628	cmd.exe	qbxbhw.exe
PID 1628 wrote to memory of 4432	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4432	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4432	1628	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe
"C:\Users\Admin\AppData\Local\Temp\03ea0dfce39b18cae4fe9aa3396f8a3a75a057e545e1cf1472cd167e00fcf03b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tadqtwp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\qbxbhw.exe
"C:\Users\Admin\AppData\Local\Temp\qbxbhw.exe"
3⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ollbod.bat

Filesize
188B

MD5
016fef7bf2009a296a796f3e0b2676bd

SHA1
3fda42d6782e4463b66bdb68c3c3513e6fbc939c

SHA256
908f238cc8ff86fd6ded6186a22d2d3f4d0dce40753920cb632a5e0b552e4c58

SHA512
1128ebe113fbc1c0707c2c15339f94018d9c0dd20307014a5d831f65350d9d50611866aab339c50604abab18d879f1c227d1179844a4698c9aa30181891a6cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbxbhw.exe

Filesize
180KB

MD5
f171b2d1b8ebd9e0188f5a04e4925afd

SHA1
c594087d447c3745eba7f457aa11baf0db9dafef

SHA256
47381c94b86bc7e005d52d9cb2afa01a4c9b891b5c81228823d7cb76403a9b19

SHA512
31056fc2b598c0166833142ab126e9853b3cc1cfaf46bd27853768c44ab577c5f7631a21efdb90dcc0671a0ef412aaf8b120351d75886e4c83b76898e5c3160d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbxbhw.exe

Filesize
180KB

MD5
f171b2d1b8ebd9e0188f5a04e4925afd

SHA1
c594087d447c3745eba7f457aa11baf0db9dafef

SHA256
47381c94b86bc7e005d52d9cb2afa01a4c9b891b5c81228823d7cb76403a9b19

SHA512
31056fc2b598c0166833142ab126e9853b3cc1cfaf46bd27853768c44ab577c5f7631a21efdb90dcc0671a0ef412aaf8b120351d75886e4c83b76898e5c3160d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tadqtwp.bat

Filesize
124B

MD5
a6129c3415a1a0a8d26196b3a5e56698

SHA1
cf6dd1afca7110fea9c189df896541af319e6462

SHA256
e80d7e4c79cebbc4c35f0b316a99b554bb3a3600293380b86101407d2c98675e

SHA512
217d5ffee3ce7f4ecd25698052b3b9eb00002528de74521b840a146f703e1a93c9653dc7d6d28327b51207576fc6bf633571e584118c25af7979573d5a0de475

Download Submit
memory/1628-132-0x0000000000000000-mapping.dmp

Download
memory/4164-135-0x0000000000000000-mapping.dmp

Download
memory/4432-138-0x0000000000000000-mapping.dmp

Download