96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a

Analysis

max time kernel
27s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe
Size

416KB
MD5

60e835c2eac74dccf9a1754ace78f721
SHA1

cb7c4cf937d700f742d7f6ecf175fed97541a010
SHA256

96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a
SHA512

15ca79579aaaa43076bb2b8ff4ac61c39ef82a9e9fd86f2d347d1a115ddac226c5cbbfedf6312f6fe1290c41387f058b3e40731ae7df9892b21108ded991878d
SSDEEP

12288:4geKmqgTzStyJB1MXqSYzP2UbyKitLgX3G:4geKzgvStC1MXqdP2UbyHtLgHG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1552	SetTaskPathEx.exe
2036	runonce.exe

Deletes itself 1 IoCs

pid	Process
1544	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1952	cmd.exe
1952	cmd.exe
1952	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe
1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1952	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	28
PID 1720 wrote to memory of 1952	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	28
PID 1720 wrote to memory of 1952	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	28
PID 1720 wrote to memory of 1952	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	28
PID 1952 wrote to memory of 1552	1952	cmd.exe	30
PID 1952 wrote to memory of 1552	1952	cmd.exe	30
PID 1952 wrote to memory of 1552	1952	cmd.exe	30
PID 1952 wrote to memory of 1552	1952	cmd.exe	30
PID 1952 wrote to memory of 2036	1952	cmd.exe	31
PID 1952 wrote to memory of 2036	1952	cmd.exe	31
PID 1952 wrote to memory of 2036	1952	cmd.exe	31
PID 1952 wrote to memory of 2036	1952	cmd.exe	31
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 2036 wrote to memory of 304	2036	runonce.exe	32
PID 1720 wrote to memory of 1544	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	34
PID 1720 wrote to memory of 1544	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	34
PID 1720 wrote to memory of 1544	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	34
PID 1720 wrote to memory of 1544	1720	96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe	34

C:\Users\Admin\AppData\Local\Temp\96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe
"C:\Users\Admin\AppData\Local\Temp\96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %temp%\start.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\SetTaskPathEx.exe
    C:\Users\Admin\AppData\Local\Temp\SetTaskPathEx.exe runonce.exe AdobeFlash Update updat_.exe a
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\runonce.exe
    C:\Users\Admin\AppData\Local\Temp\runonce.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\AdobeFlash\Update\AutoUpdate.bat
      4⤵
      PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %temp%\end.bat "C:\Users\Admin\AppData\Local\Temp\96b7fa8abf7bbea0ec4e2f5b2fcbd4e508169992a3f3f8181c7a54ff23cc122a.exe"
  2⤵
  - Deletes itself
  PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll

Filesize
202KB

MD5
24b83d9a02acf4b10c3fe0e9f7153eef

SHA1
7b1f1163cf5be87c6ca4a6a26c39f4dc31123083

SHA256
289736290471e0b65e72f305b1f56f1fb158caf77b2c5682988ec8c294f8a750

SHA512
73a7add389df898bfc596d57c76bca2afe57d9ab9f17c9aec7bffb085afaef5732f346d00b6b085361891a3b816cf76fe4d341caa02dd9429d15e823763353f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetTaskPathEx.exe

Filesize
16KB

MD5
e8037967a601ca1bdda24518af265d59

SHA1
96313339f5ba08b656f515a947feb10c461a2cda

SHA256
aee05c10ab4153e5ca8855f366e6a1437ec1788b7af93d5a9123d0dec362af5d

SHA512
e1e2ec385ff50bb3c0f5509c8438cbf979110b78db04ba6b38f78a06672887db4f13ac617c8faed3f3bc38583cc64a7907314ee1655107e660c913f5ee77d65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetTaskPathEx.exe

Filesize
16KB

MD5
e8037967a601ca1bdda24518af265d59

SHA1
96313339f5ba08b656f515a947feb10c461a2cda

SHA256
aee05c10ab4153e5ca8855f366e6a1437ec1788b7af93d5a9123d0dec362af5d

SHA512
e1e2ec385ff50bb3c0f5509c8438cbf979110b78db04ba6b38f78a06672887db4f13ac617c8faed3f3bc38583cc64a7907314ee1655107e660c913f5ee77d65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\end.bat

Filesize
179B

MD5
f75e0f52d8fc139a28d3c77d63d3f67a

SHA1
28eb6e1ce70750b659b7fd833c05bb0d8ff062fd

SHA256
fd4d57e6cfd843e304f902e0a82d889091405ab956f5796f948483b7e8c79fa5

SHA512
7aa3d8eb9de5759c241ad899804f0510cb92040ec55f25256fbc1fa9ad9b5b6898768e811e85771dc4a1da3ab94ea5ecf03a6db72251cf8c2430aab348a74a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\runonce.exe

Filesize
2.0MB

MD5
f6eb8b6a150e085ec88c93963f4bf122

SHA1
145af713b761b86998ac768f8a9504120d815cb9

SHA256
489a3958da038b4888406c8e405e08dc64419b5b25ae876f6dca921750f3b341

SHA512
467720fd6431c6e8e240022e4ec762bcb08b4997400091e7509f2801b47d0d11d606880cb126d1645ce6ae7e48ae7aef8176599e3b96a59c550586b2fda0dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\runonce.exe

Filesize
2.0MB

MD5
f6eb8b6a150e085ec88c93963f4bf122

SHA1
145af713b761b86998ac768f8a9504120d815cb9

SHA256
489a3958da038b4888406c8e405e08dc64419b5b25ae876f6dca921750f3b341

SHA512
467720fd6431c6e8e240022e4ec762bcb08b4997400091e7509f2801b47d0d11d606880cb126d1645ce6ae7e48ae7aef8176599e3b96a59c550586b2fda0dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat

Filesize
93B

MD5
a1021b068be740cd75d2026e475984d4

SHA1
747c3c7985583bb8b3a4a1a1f7eef40a3e62f3d7

SHA256
6b18be05012c98c3a3f53c2d9720b0fc115604541abc4add514c81a5d4ddcca1

SHA512
90561b99fdb8093fe9c8811a4a8b5435b36b6cec4a673d6d9e48086f7a2e1f123ec041e410ac0f4a678096cf9ec87598e047eaaa14a1f11018278affba3ce651

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeFlash\Update\AutoUpdate.bat

Filesize
199B

MD5
fedb3be966284547b81e00b95742221f

SHA1
b591fd3767de7dc8d38060ebd0481e519cb58da3

SHA256
5a6472d6c8b07fd67538db6d41aeffd9ddd38645b7dab00f4c1a74bcb567f43d

SHA512
76dc77d86936c86ea49ecb109903d0d5c7493ea16d4de95493a2d859172e3de0dd30ef3e162fc725e8f0f0f9149617406e484f73c19a1ad9dc965b0e1cd864d9

Download Submit
\Users\Admin\AppData\Local\Temp\SetTaskPathEx.exe

Filesize
16KB

MD5
e8037967a601ca1bdda24518af265d59

SHA1
96313339f5ba08b656f515a947feb10c461a2cda

SHA256
aee05c10ab4153e5ca8855f366e6a1437ec1788b7af93d5a9123d0dec362af5d

SHA512
e1e2ec385ff50bb3c0f5509c8438cbf979110b78db04ba6b38f78a06672887db4f13ac617c8faed3f3bc38583cc64a7907314ee1655107e660c913f5ee77d65a

Download Submit
\Users\Admin\AppData\Local\Temp\runonce.exe

Filesize
2.0MB

MD5
f6eb8b6a150e085ec88c93963f4bf122

SHA1
145af713b761b86998ac768f8a9504120d815cb9

SHA256
489a3958da038b4888406c8e405e08dc64419b5b25ae876f6dca921750f3b341

SHA512
467720fd6431c6e8e240022e4ec762bcb08b4997400091e7509f2801b47d0d11d606880cb126d1645ce6ae7e48ae7aef8176599e3b96a59c550586b2fda0dda6

Download Submit
\Users\Admin\AppData\Local\Temp\runonce.exe

Filesize
2.0MB

MD5
f6eb8b6a150e085ec88c93963f4bf122

SHA1
145af713b761b86998ac768f8a9504120d815cb9

SHA256
489a3958da038b4888406c8e405e08dc64419b5b25ae876f6dca921750f3b341

SHA512
467720fd6431c6e8e240022e4ec762bcb08b4997400091e7509f2801b47d0d11d606880cb126d1645ce6ae7e48ae7aef8176599e3b96a59c550586b2fda0dda6

Download Submit
memory/1552-63-0x000007FEF2F80000-0x000007FEF4016000-memory.dmp

Filesize
16.6MB

Download
memory/1552-62-0x000007FEF4020000-0x000007FEF4A43000-memory.dmp

Filesize
10.1MB

Download
memory/1720-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads