cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d

Analysis

max time kernel
7s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe
Size

276KB
MD5

53dd39c4d07fb82f1f437a679c599716
SHA1

be5cd3e9a44d68a2ffbe044b6837e2d138d3860e
SHA256

cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d
SHA512

f3757f6d1421c70b426a3d087bfc5894b9e25d2fb1f7baa50c49038ee081705309cd65f728da0f8ae461ce815c51aeae2f5468b07418e87f39768c2e748abd70
SSDEEP

3072:+UfJ8XcRk4go4CDIuLgxMgIGrmeUcsTOQMOji7LuPGB5bqJfoMMVdPfi:+UfJ8XFxcLKMtG6eUJyQMOjiSo5wDsPK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	yjijuh.exe

Deletes itself 1 IoCs

pid	Process
1992	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	cmd.exe
1992	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1488	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1992	872	cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe	27
PID 872 wrote to memory of 1992	872	cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe	27
PID 872 wrote to memory of 1992	872	cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe	27
PID 872 wrote to memory of 1992	872	cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe	27
PID 1992 wrote to memory of 1384	1992	cmd.exe	29
PID 1992 wrote to memory of 1384	1992	cmd.exe	29
PID 1992 wrote to memory of 1384	1992	cmd.exe	29
PID 1992 wrote to memory of 1384	1992	cmd.exe	29
PID 1992 wrote to memory of 1488	1992	cmd.exe	30
PID 1992 wrote to memory of 1488	1992	cmd.exe	30
PID 1992 wrote to memory of 1488	1992	cmd.exe	30
PID 1992 wrote to memory of 1488	1992	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe
"C:\Users\Admin\AppData\Local\Temp\cd899575684f4dc1118fdd86a64253630808c4fcb0e6d25baa68a064b745622d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\bdgbied.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\yjijuh.exe
    "C:\Users\Admin\AppData\Local\Temp\yjijuh.exe"
    3⤵
    - Executes dropped EXE
    PID:1384
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdgbied.bat

Filesize
124B

MD5
0d1bdf62d563f9bf2fc91658d2153f14

SHA1
23b177448cb8ef250997d0f62eae9d1ed1b68c85

SHA256
302bc7aa7012e4ae427295fcbfb55355d4d2311d650348aa40e04d8a96a80275

SHA512
fba257a6db3dc1008d859a658e8b538288caccd7bd21aea7cde92977bb2b0c5242793d21b68a208efbc24679fb2cf355693e17cb4870908a049a3da7c96ed682

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjijuh.exe

Filesize
184KB

MD5
f45ec73d1100e866fa0e19efabdf4584

SHA1
230d6f829ac66f9c8e0201f265e4a118bbda863d

SHA256
e6504ddc9a338f6d9a7424df2fb4a77988adf7a0a2d3734627906bb69fa41cf6

SHA512
dc23f4af22d70d24ef1126c3117a1cb0fbcf70a34a96294a5ce163614377b072c4be7ab26af3b7a749eda1a522fcf0f846e7ff7b3cd17686b17d5076c4ff5322

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjijuh.exe

Filesize
184KB

MD5
f45ec73d1100e866fa0e19efabdf4584

SHA1
230d6f829ac66f9c8e0201f265e4a118bbda863d

SHA256
e6504ddc9a338f6d9a7424df2fb4a77988adf7a0a2d3734627906bb69fa41cf6

SHA512
dc23f4af22d70d24ef1126c3117a1cb0fbcf70a34a96294a5ce163614377b072c4be7ab26af3b7a749eda1a522fcf0f846e7ff7b3cd17686b17d5076c4ff5322

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxicbp.bat

Filesize
188B

MD5
b1dcac657540b7d8e79dfbea56cab55f

SHA1
f8c3154dac01f8bc0a759a4c5599ad4cc9aa35e4

SHA256
8fc0fe480a253e11f6d8c566fb09785508dd4ead68e878475ef050e07e571375

SHA512
cbc59d07a6bc7e8d58f97016fb438a1741b0b06e151ae1a4ac0b74a434cfd0fa1f22841f62bd110f4cb4af302c1f6f17833b4d500d82c13d4c33d105385e5a61

Download Submit
\Users\Admin\AppData\Local\Temp\yjijuh.exe

Filesize
184KB

MD5
f45ec73d1100e866fa0e19efabdf4584

SHA1
230d6f829ac66f9c8e0201f265e4a118bbda863d

SHA256
e6504ddc9a338f6d9a7424df2fb4a77988adf7a0a2d3734627906bb69fa41cf6

SHA512
dc23f4af22d70d24ef1126c3117a1cb0fbcf70a34a96294a5ce163614377b072c4be7ab26af3b7a749eda1a522fcf0f846e7ff7b3cd17686b17d5076c4ff5322

Download Submit
\Users\Admin\AppData\Local\Temp\yjijuh.exe

Filesize
184KB

MD5
f45ec73d1100e866fa0e19efabdf4584

SHA1
230d6f829ac66f9c8e0201f265e4a118bbda863d

SHA256
e6504ddc9a338f6d9a7424df2fb4a77988adf7a0a2d3734627906bb69fa41cf6

SHA512
dc23f4af22d70d24ef1126c3117a1cb0fbcf70a34a96294a5ce163614377b072c4be7ab26af3b7a749eda1a522fcf0f846e7ff7b3cd17686b17d5076c4ff5322

Download Submit
memory/872-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download