cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c

Analysis

max time kernel
61s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe
Size

264KB
MD5

419319f4763e2402a5dc5987964e360c
SHA1

4767bbbbb789bf35ab61279e17743a19edde8010
SHA256

cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c
SHA512

b9742f69dcd3aa08be1e9baf87d7589ee0c357630065df596e239224e8cb263c1b1e230252ebfbc854cac063a89dffcb48a34939e36e3b4c38aea128db3eff7b
SSDEEP

3072:GwPv/7MqIuroKz9kO4xDB+HV/R9UZ8Tr6e4CzmMU5goZGj5JAJVTsuZfs:GwPv/7bIYkOEWZ5F4Czmz5goZC+wuZ0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
676	fbiraq.exe

Deletes itself 1 IoCs

pid	Process
796	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
796	cmd.exe
796	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
828	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 796	332	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	28
PID 332 wrote to memory of 796	332	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	28
PID 332 wrote to memory of 796	332	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	28
PID 332 wrote to memory of 796	332	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	28
PID 796 wrote to memory of 676	796	cmd.exe	30
PID 796 wrote to memory of 676	796	cmd.exe	30
PID 796 wrote to memory of 676	796	cmd.exe	30
PID 796 wrote to memory of 676	796	cmd.exe	30
PID 796 wrote to memory of 828	796	cmd.exe	31
PID 796 wrote to memory of 828	796	cmd.exe	31
PID 796 wrote to memory of 828	796	cmd.exe	31
PID 796 wrote to memory of 828	796	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe
"C:\Users\Admin\AppData\Local\Temp\cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\gdwwmia.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\fbiraq.exe
    "C:\Users\Admin\AppData\Local\Temp\fbiraq.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbiraq.exe

Filesize
168KB

MD5
2e4089af3168ccac3a17294bb5d7b429

SHA1
3382e4d33a57f088c84929e734130a7ef02c6d2c

SHA256
0407b0d91ea163bbd7bfa5d12ff03235ddb2594294062c2b22755c4bb00d75c1

SHA512
056d35326be3ae2495232a79047e11d4ec5fde659351baccd84d77a61a45da1b3bc5588cb470154d0aa03ee300185056c50de80f40bb38f6fd6c7535df45070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbiraq.exe

Filesize
168KB

MD5
2e4089af3168ccac3a17294bb5d7b429

SHA1
3382e4d33a57f088c84929e734130a7ef02c6d2c

SHA256
0407b0d91ea163bbd7bfa5d12ff03235ddb2594294062c2b22755c4bb00d75c1

SHA512
056d35326be3ae2495232a79047e11d4ec5fde659351baccd84d77a61a45da1b3bc5588cb470154d0aa03ee300185056c50de80f40bb38f6fd6c7535df45070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdwwmia.bat

Filesize
124B

MD5
1418bdca53adc6d5e2d7455aa83bd74a

SHA1
f2f80ec61c1654d6ae2d849c89e935190e5ba106

SHA256
9bfd1d9d1f5259220759fb3520bdf96b5341f1005773ab815e14ba6617330567

SHA512
4b7c76fa903f152a33c2723177fe4c528b57514d8dd9c5697e75e0aa1730eaeb7e7fd1e9c9542043c8743b34177a8ee0f834b05bf743b00c2128f60aedf4c3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqqtgw.bat

Filesize
188B

MD5
cb7f974984cd400121615274b0798ab1

SHA1
3c09787e7dfb55d2b0e821cda8bb24da3ad58c95

SHA256
f8b61d0e2e819db27da0ec57a6f9ee37d856f1bacc4670790153c55d53f969bb

SHA512
714c8894af805ece74ce4ced399e3b12c47dc6576d7f477591cd47a0f7ed7a262971a7075f6b335615c24e72b26c5ddf73a6dbbecc733694945d7380324cd300

Download Submit
\Users\Admin\AppData\Local\Temp\fbiraq.exe

Filesize
168KB

MD5
2e4089af3168ccac3a17294bb5d7b429

SHA1
3382e4d33a57f088c84929e734130a7ef02c6d2c

SHA256
0407b0d91ea163bbd7bfa5d12ff03235ddb2594294062c2b22755c4bb00d75c1

SHA512
056d35326be3ae2495232a79047e11d4ec5fde659351baccd84d77a61a45da1b3bc5588cb470154d0aa03ee300185056c50de80f40bb38f6fd6c7535df45070b

Download Submit
\Users\Admin\AppData\Local\Temp\fbiraq.exe

Filesize
168KB

MD5
2e4089af3168ccac3a17294bb5d7b429

SHA1
3382e4d33a57f088c84929e734130a7ef02c6d2c

SHA256
0407b0d91ea163bbd7bfa5d12ff03235ddb2594294062c2b22755c4bb00d75c1

SHA512
056d35326be3ae2495232a79047e11d4ec5fde659351baccd84d77a61a45da1b3bc5588cb470154d0aa03ee300185056c50de80f40bb38f6fd6c7535df45070b

Download Submit
memory/332-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download