0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db

Analysis

max time kernel
152s
max time network
158s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
Size

639KB
MD5

7dfe5c3f939f8afc1afb3df143f9c163
SHA1

6a4d73f8d3679bd5cdfc8ab83c3c79c62f52d09f
SHA256

0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db
SHA512

ed25c2616461f04975c5d989044ca564bf6b1abe7961e8ed8838ebb8610e2fa1572778f800fa1902a32535bb71ba8cdeacdf991ac66278fa74e8ffdf3d808250
SSDEEP

12288:b7147s9Tc5jXJrep2+RfrN1wMknfSvV8EDYSf4lBDDkiu:b7/AJXJreXRfringVZYLlBDDG

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1104	RS1.exe
1208	FTvrst.exe
1972	audidog.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1296-55-0x0000000000400000-0x0000000000560000-memory.dmp	upx
behavioral1/memory/1296-61-0x0000000000400000-0x0000000000560000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1104	RS1.exe
1104	RS1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe
1104	RS1.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\DNomb\FTvrst.exe	RS1.exe
File created	C:\WINDOWS\DNomb\audidog.exe	RS1.exe
File created	C:\Windows\DNomb\Mpec.mbt	0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
File created	C:\WINDOWS\Djltp.txt	RS1.exe
File created	C:\WINDOWS\DNomb\Mpec.mbt	RS1.exe
File created	C:\WINDOWS\DNomb\spolsvt.exe	RS1.exe
File created	C:\WINDOWS\DNomb\FTvrst.exe	RS1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1296	0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
1296	0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
1104	RS1.exe
1104	RS1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1208	1104	RS1.exe	32
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33
PID 1104 wrote to memory of 1972	1104	RS1.exe	33

C:\Users\Admin\AppData\Local\Temp\0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe
"C:\Users\Admin\AppData\Local\Temp\0270b007e6de08e544cc33308d6fe72f3ceeb653fd9b30025ee92fe057f9d0db.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Public\Documents\123\RS1.exe
"C:\Users\Public\Documents\123\RS1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\WINDOWS\DNomb\FTvrst.exe
  C:\WINDOWS\DNomb\FTvrst.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\WINDOWS\DNomb\audidog.exe
  C:\WINDOWS\DNomb\audidog.exe
  2⤵
  - Executes dropped EXE
  PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\RS1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Public\Documents\123\RS1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
memory/1104-505-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-507-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-470-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-471-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-473-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-474-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-475-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-476-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-477-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-478-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-479-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-482-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-480-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-481-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-483-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-484-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-485-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-486-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-487-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-488-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-489-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-490-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-491-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-492-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-493-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-494-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-495-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-496-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-497-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-498-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-499-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-500-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-501-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-502-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-504-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-503-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-5395-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1104-506-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-513-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-59-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1104-472-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-510-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-511-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-512-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-509-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-514-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-515-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-516-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-517-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-519-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-518-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-520-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-521-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-522-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-524-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-523-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-525-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-526-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-527-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-528-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-1372-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1104-1373-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/1104-1375-0x0000000002680000-0x0000000002801000-memory.dmp

Filesize
1.5MB

Download
memory/1104-4192-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/1104-4731-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-4732-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1104-4733-0x0000000002AB0000-0x0000000002BB1000-memory.dmp

Filesize
1.0MB

Download
memory/1104-63-0x0000000076D40000-0x0000000076D87000-memory.dmp

Filesize
284KB

Download
memory/1104-508-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-469-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/1104-4738-0x00000000041F0000-0x0000000004A54000-memory.dmp

Filesize
8.4MB

Download
memory/1208-4739-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1208-5890-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1296-56-0x00000000741B1000-0x00000000741B3000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1296-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1296-55-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1972-5337-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download