aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc

Analysis

max time kernel
38s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe
Size

272KB
MD5

508c4c61eb4973549529e385604a110a
SHA1

6fd10a6b43753acdea25f7de6a6a2a07b9558f14
SHA256

aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc
SHA512

ace05506c6a67c7e42f20c7add07d0d1b29ff53c5b99f0657f4deed5ad6520ede649ac291c2431eaec881d15f36f346ed08245a4764e867e5f0384e092a86931
SSDEEP

3072:AeJecgkgegoBhUq8yUZFWEVsS+bnARWiGi9DB3KLqL2LzJQxdPfA:AeJeGgy2ZEEVsS+MR4i9DB3KZLz6PI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1764	wiflvd.exe

Deletes itself 1 IoCs

pid	Process
1356	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1356	cmd.exe
1356	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
808	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1356	1300	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	27
PID 1300 wrote to memory of 1356	1300	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	27
PID 1300 wrote to memory of 1356	1300	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	27
PID 1300 wrote to memory of 1356	1300	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	27
PID 1356 wrote to memory of 1764	1356	cmd.exe	29
PID 1356 wrote to memory of 1764	1356	cmd.exe	29
PID 1356 wrote to memory of 1764	1356	cmd.exe	29
PID 1356 wrote to memory of 1764	1356	cmd.exe	29
PID 1356 wrote to memory of 808	1356	cmd.exe	30
PID 1356 wrote to memory of 808	1356	cmd.exe	30
PID 1356 wrote to memory of 808	1356	cmd.exe	30
PID 1356 wrote to memory of 808	1356	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe
"C:\Users\Admin\AppData\Local\Temp\aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\tuqedlv.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\wiflvd.exe
    "C:\Users\Admin\AppData\Local\Temp\wiflvd.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oijcid.bat

Filesize
188B

MD5
884dd93fdbcc0226ee808840306e1d4b

SHA1
6d9781ae2d40a7ce5e5cf6b0f626764cd5cd2b0a

SHA256
fa317c9a66b34f76f60cb495a40a17b223f28996a8e3d5d69d6bd2a2bb4f3f42

SHA512
3d4a367ab0081be6fc51586ead0f378bcad91a6495445137779fe33d36652f3d4f2618ec9a3ef397acf539f0c59dc1f3d6633704eed8cdfc46dce9006f5d51c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuqedlv.bat

Filesize
124B

MD5
1e091176fd4cf676f831adeaf037c0ca

SHA1
7a862fe59b951fa52a2d4ebce0322e56b8d222ea

SHA256
3b73c21de706c69c75770bfb201c6759ad2ee1d6f41c411e593b2f44f59dd067

SHA512
93813df94cde0cf172f134876c30f56adacf9b640129f1c1595bd8d870aeeb543fd1914d043435cb823cd93e8b6a5c03b5ca4a7c192633871648efb434532bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiflvd.exe

Filesize
180KB

MD5
ebec0406fee6d02c0bcde13c3964ec89

SHA1
6ae3ac6b1ff23a9914c8f0e9680034dd3ec09503

SHA256
69f75d36810079cd02e26d61e1708c45d99e456906402ffcdf1e7a6295f1e473

SHA512
e513954e1d50743b0b793a376439092ee6460014c474c57ad10fae1481a145508fb2a87f24b0ef350e3a38a42cbcc599062b9bee6da44daa1b87e421ec0197c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiflvd.exe

Filesize
180KB

MD5
ebec0406fee6d02c0bcde13c3964ec89

SHA1
6ae3ac6b1ff23a9914c8f0e9680034dd3ec09503

SHA256
69f75d36810079cd02e26d61e1708c45d99e456906402ffcdf1e7a6295f1e473

SHA512
e513954e1d50743b0b793a376439092ee6460014c474c57ad10fae1481a145508fb2a87f24b0ef350e3a38a42cbcc599062b9bee6da44daa1b87e421ec0197c1

Download Submit
\Users\Admin\AppData\Local\Temp\wiflvd.exe

Filesize
180KB

MD5
ebec0406fee6d02c0bcde13c3964ec89

SHA1
6ae3ac6b1ff23a9914c8f0e9680034dd3ec09503

SHA256
69f75d36810079cd02e26d61e1708c45d99e456906402ffcdf1e7a6295f1e473

SHA512
e513954e1d50743b0b793a376439092ee6460014c474c57ad10fae1481a145508fb2a87f24b0ef350e3a38a42cbcc599062b9bee6da44daa1b87e421ec0197c1

Download Submit
\Users\Admin\AppData\Local\Temp\wiflvd.exe

Filesize
180KB

MD5
ebec0406fee6d02c0bcde13c3964ec89

SHA1
6ae3ac6b1ff23a9914c8f0e9680034dd3ec09503

SHA256
69f75d36810079cd02e26d61e1708c45d99e456906402ffcdf1e7a6295f1e473

SHA512
e513954e1d50743b0b793a376439092ee6460014c474c57ad10fae1481a145508fb2a87f24b0ef350e3a38a42cbcc599062b9bee6da44daa1b87e421ec0197c1

Download Submit
memory/1300-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download