3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d

Analysis

max time kernel
182s
max time network
59s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe
Size

2.3MB
MD5

046b6112a936f946e57d77735438a515
SHA1

3a72742d75369ab3888153df7d771600396bf608
SHA256

3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d
SHA512

e077945c275e8492b543664b760fc237ea71ef17613e5a6a70f890babd0f91a9952c118c313ee47a036aa8ab8fed7140bbafcbf7df26e4e63e5bd920b8342988
SSDEEP

49152:s7d8SuMVPl8+BjETaHqBMVypuSndkHoTxsfH/Lhj:s768VP5BjEwq6VyoSnqoTxsfDhj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1248	_run.exe
1012	_run.tmp
1552	ibvskdvb.exe

Loads dropped DLL 7 IoCs

pid	Process
632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe
1248	_run.exe
1012	_run.tmp
1012	_run.tmp
1012	_run.tmp
632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe
632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1012	_run.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 632 wrote to memory of 1248	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	28
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 1248 wrote to memory of 1012	1248	_run.exe	29
PID 632 wrote to memory of 1552	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	31
PID 632 wrote to memory of 1552	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	31
PID 632 wrote to memory of 1552	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	31
PID 632 wrote to memory of 1552	632	3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe	31

C:\Users\Admin\AppData\Local\Temp\3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe
"C:\Users\Admin\AppData\Local\Temp\3b8c6bfc7b0499c459e27e7e7bd628c754cd466f673edd30d5c2ea1fa7b39b3d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\_run.exe
  "_run.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\is-JRCPN.tmp\_run.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JRCPN.tmp\_run.tmp" /SL5="$8001C,769784,140288,C:\Users\Admin\AppData\Local\Temp\_run.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1012
- C:\Users\Admin\AppData\Roaming\ibvskdvb.exe
  "C:\Users\Admin\AppData\Roaming\ibvskdvb.exe"
  2⤵
  - Executes dropped EXE
  PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_run.exe

Filesize
1.2MB

MD5
bace138d73bf605be5031ca9f7164c49

SHA1
77ede1069aec2e083e3c58e415f98735d0f9c5e3

SHA256
0f7ed7547b5cd88b1501cacd42639d47b4b87e0c6b983d8f7249300a9b29ce4f

SHA512
b0b0c5d53428e9a6f7ea53df1af2b01d423524a5191e2f793278f3585b943b5eb679aca24009b79046442aa85f9e22f73f1867dabe4319286f97a36518179516

Download Submit
C:\Users\Admin\AppData\Local\Temp\_run.exe

Filesize
1.2MB

MD5
bace138d73bf605be5031ca9f7164c49

SHA1
77ede1069aec2e083e3c58e415f98735d0f9c5e3

SHA256
0f7ed7547b5cd88b1501cacd42639d47b4b87e0c6b983d8f7249300a9b29ce4f

SHA512
b0b0c5d53428e9a6f7ea53df1af2b01d423524a5191e2f793278f3585b943b5eb679aca24009b79046442aa85f9e22f73f1867dabe4319286f97a36518179516

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JRCPN.tmp\_run.tmp

Filesize
978KB

MD5
8275aedbc6c673776e3e6f5fe6d3db5a

SHA1
9c7abce3f9fd7c58fa3f73178829c29d2e9903ea

SHA256
e8ff630fec025d77b26f3bc4289c14832afb9d1b81e8745f16bf257d34aab2a3

SHA512
ae30ebb9a01835f96b184fc7e6f8d46b1fe399dcb26db89d5d81be2edcbe793b8cb8e763dcffa56fc20d1d933bcbea5ae15088a20923fd8e2ad6ba3bb73eade4

Download Submit
C:\Users\Admin\AppData\Roaming\ibvskdvb.exe

Filesize
561KB

MD5
32e8fc07631018cba76bcd331ccca990

SHA1
4c58dc1758edcbb7c74e2ec927ab712e300c837a

SHA256
fddf9c90bffdafee550c35bb3c4459f81ea51f1e5ac943d3b0a62db70273e5ce

SHA512
fb26b0a47b869f76eb50a65f759c4c19a5fbae2a9c62e814e7d3fafb5b365c70ce228934ed29d350c291cd8069a57c4b575efc88aabdfe5d6e8666592b7d8ef4

Download Submit
\Users\Admin\AppData\Local\Temp\_run.exe

Filesize
1.2MB

MD5
bace138d73bf605be5031ca9f7164c49

SHA1
77ede1069aec2e083e3c58e415f98735d0f9c5e3

SHA256
0f7ed7547b5cd88b1501cacd42639d47b4b87e0c6b983d8f7249300a9b29ce4f

SHA512
b0b0c5d53428e9a6f7ea53df1af2b01d423524a5191e2f793278f3585b943b5eb679aca24009b79046442aa85f9e22f73f1867dabe4319286f97a36518179516

Download Submit
\Users\Admin\AppData\Local\Temp\is-J5A1M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-J5A1M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-J5A1M.tmp\pokergraphics.dll

Filesize
111KB

MD5
b99c95444de7fb1c5516d0929f4fb08d

SHA1
6b08bd74ed8dbabe4a4b35c0a0bf26a89689e096

SHA256
8e40d40fd2e08609e428ebd154b8dab81c46a9bfc7a39cd1f6a96270a4372af7

SHA512
6e494f7871c583975787a0e6946d94dbe12c5fed01d1f7e0f582bb56cbf8704f63652571904fcf75ed53c2426f9597e4db14930e092fdaef7ae092e569a3b364

Download Submit
\Users\Admin\AppData\Local\Temp\is-JRCPN.tmp\_run.tmp

Filesize
978KB

MD5
8275aedbc6c673776e3e6f5fe6d3db5a

SHA1
9c7abce3f9fd7c58fa3f73178829c29d2e9903ea

SHA256
e8ff630fec025d77b26f3bc4289c14832afb9d1b81e8745f16bf257d34aab2a3

SHA512
ae30ebb9a01835f96b184fc7e6f8d46b1fe399dcb26db89d5d81be2edcbe793b8cb8e763dcffa56fc20d1d933bcbea5ae15088a20923fd8e2ad6ba3bb73eade4

Download Submit
\Users\Admin\AppData\Roaming\ibvskdvb.exe

Filesize
561KB

MD5
32e8fc07631018cba76bcd331ccca990

SHA1
4c58dc1758edcbb7c74e2ec927ab712e300c837a

SHA256
fddf9c90bffdafee550c35bb3c4459f81ea51f1e5ac943d3b0a62db70273e5ce

SHA512
fb26b0a47b869f76eb50a65f759c4c19a5fbae2a9c62e814e7d3fafb5b365c70ce228934ed29d350c291cd8069a57c4b575efc88aabdfe5d6e8666592b7d8ef4

Download Submit
\Users\Admin\AppData\Roaming\ibvskdvb.exe

Filesize
561KB

MD5
32e8fc07631018cba76bcd331ccca990

SHA1
4c58dc1758edcbb7c74e2ec927ab712e300c837a

SHA256
fddf9c90bffdafee550c35bb3c4459f81ea51f1e5ac943d3b0a62db70273e5ce

SHA512
fb26b0a47b869f76eb50a65f759c4c19a5fbae2a9c62e814e7d3fafb5b365c70ce228934ed29d350c291cd8069a57c4b575efc88aabdfe5d6e8666592b7d8ef4

Download Submit
memory/632-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1012-70-0x0000000002070000-0x0000000002091000-memory.dmp

Filesize
132KB

Download
memory/1248-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads