47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259

Analysis

max time kernel
10s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe
Size

268KB
MD5

347bc6e7989fdecd175d1fbc201a06c9
SHA1

e2d30c75dbd0dac73c19eb7aeb4cf3a2052b8e99
SHA256

47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259
SHA512

a89d58652f65b29e915467215583c110c0aca8cc68bd8627fe04ea1e2d02f17dbfaf450c859b815dc301695f77b9c8958b5f01dec3d4bcca2d59e305ed9a5b01
SSDEEP

3072:/nmbO6VMd/ZodoMxAlseuok3flWQmrc4+nv1lWS0xWoGTsuZfH:e66VuA5SseiQQmQ4YvfWS0QpwuZ/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1000	sbedor.exe

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	cmd.exe
2008	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
332	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2008	2020	47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe	27
PID 2020 wrote to memory of 2008	2020	47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe	27
PID 2020 wrote to memory of 2008	2020	47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe	27
PID 2020 wrote to memory of 2008	2020	47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe	27
PID 2008 wrote to memory of 1000	2008	cmd.exe	29
PID 2008 wrote to memory of 1000	2008	cmd.exe	29
PID 2008 wrote to memory of 1000	2008	cmd.exe	29
PID 2008 wrote to memory of 1000	2008	cmd.exe	29
PID 2008 wrote to memory of 332	2008	cmd.exe	30
PID 2008 wrote to memory of 332	2008	cmd.exe	30
PID 2008 wrote to memory of 332	2008	cmd.exe	30
PID 2008 wrote to memory of 332	2008	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe
"C:\Users\Admin\AppData\Local\Temp\47d67664a1be8db485396f97c27eb72fd6297764bfd580de51dd1061a76c8259.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\sgudgnf.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\sbedor.exe
    "C:\Users\Admin\AppData\Local\Temp\sbedor.exe"
    3⤵
    - Executes dropped EXE
    PID:1000
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\klfqsj.bat

Filesize
188B

MD5
6dfce6aee02fe74c9e7d145e505ed1b8

SHA1
59d3a25753bda29d30d19f3f02d78608eca2fc4e

SHA256
ca431d20259911088effd42f1533ef2346740b04586deeb59b0646feb16ee648

SHA512
bb1f3e3789876e0148a8bafc80dcd59a426a88aeae3d71a4ce80b4f58386f4228d06043ef72c831595ea9c378e76d1bcadfaf11636d29568bd0291a9cd4c00fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbedor.exe

Filesize
172KB

MD5
7c088b6fa01d2e3e4f694b2d33050364

SHA1
14d4d79f8d6d39cefcbfe5ac1e977f80e5c30d0e

SHA256
fb152b349643334e92a5971f8c104048f7fbb867fa7b16360162aea13137479a

SHA512
257372c1c0dbea6c05155086e540c3e7911d23835a615ee451e460dc4b5273620f5e1d2a6daf57eba1b02da4ab6d03d1b381d03d2371ad4f8819088f6931dd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbedor.exe

Filesize
172KB

MD5
7c088b6fa01d2e3e4f694b2d33050364

SHA1
14d4d79f8d6d39cefcbfe5ac1e977f80e5c30d0e

SHA256
fb152b349643334e92a5971f8c104048f7fbb867fa7b16360162aea13137479a

SHA512
257372c1c0dbea6c05155086e540c3e7911d23835a615ee451e460dc4b5273620f5e1d2a6daf57eba1b02da4ab6d03d1b381d03d2371ad4f8819088f6931dd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgudgnf.bat

Filesize
124B

MD5
26e29cecc0cd4e29bf3e5a464bdd0b77

SHA1
97c2a0f34f698c379050f846ebc003bf366c6b3e

SHA256
071c83ff97d8d5922e1f8256208e98935a0dc1665d0e1ea43c70344371b6866e

SHA512
f269e4c2c067ce5c186ec9d56e6d84b802ebfaefe17908f9def9844703d1c3e1bd34849ee9f125b87503ef1a981efc16b1161ce63006154e5f1c636d2a6495d2

Download Submit
\Users\Admin\AppData\Local\Temp\sbedor.exe

Filesize
172KB

MD5
7c088b6fa01d2e3e4f694b2d33050364

SHA1
14d4d79f8d6d39cefcbfe5ac1e977f80e5c30d0e

SHA256
fb152b349643334e92a5971f8c104048f7fbb867fa7b16360162aea13137479a

SHA512
257372c1c0dbea6c05155086e540c3e7911d23835a615ee451e460dc4b5273620f5e1d2a6daf57eba1b02da4ab6d03d1b381d03d2371ad4f8819088f6931dd2f

Download Submit
\Users\Admin\AppData\Local\Temp\sbedor.exe

Filesize
172KB

MD5
7c088b6fa01d2e3e4f694b2d33050364

SHA1
14d4d79f8d6d39cefcbfe5ac1e977f80e5c30d0e

SHA256
fb152b349643334e92a5971f8c104048f7fbb867fa7b16360162aea13137479a

SHA512
257372c1c0dbea6c05155086e540c3e7911d23835a615ee451e460dc4b5273620f5e1d2a6daf57eba1b02da4ab6d03d1b381d03d2371ad4f8819088f6931dd2f

Download Submit
memory/332-64-0x0000000000000000-mapping.dmp

Download
memory/1000-61-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download