0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb

Analysis

max time kernel
288s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe
Size

4.5MB
MD5

0e64e281c8c4c6811872efd5f6eee68a
SHA1

9e710d40a0e189cb1817278ee29a76e37183b13d
SHA256

0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb
SHA512

8d27b4be65cef5dca80cfc6cf17b334efc7d930488f3385d8c12d40fa87a51644819b36b8af80deea08c634cc22c7d672300b135abae6aeda70f06abece192fc
SSDEEP

98304:YjX2TR/+9g+1wLgJf6PD3Nmn7AJEgLYXMKUCCCNYzQEr0WO0Yk84p1bFmL1OVYIl:V1+vJiPD3Nm7AJEgLYX8CNYzQEr0WO0Z

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\CXVYYOKJ\hosts	0be0502abXFER.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	0be0502abXFER.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4936	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	0be0502abXFER.exe
2104	0be0502abXFER.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2104	0be0502abXFER.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2104	4500	0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe	80
PID 4500 wrote to memory of 2104	4500	0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe	80
PID 4500 wrote to memory of 2104	4500	0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe	80
PID 2104 wrote to memory of 2288	2104	0be0502abXFER.exe	81
PID 2104 wrote to memory of 2288	2104	0be0502abXFER.exe	81
PID 2104 wrote to memory of 2288	2104	0be0502abXFER.exe	81
PID 2288 wrote to memory of 4936	2288	cmd.exe	85
PID 2288 wrote to memory of 4936	2288	cmd.exe	85
PID 2288 wrote to memory of 4936	2288	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe
"C:\Users\Admin\AppData\Local\Temp\0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\0be0502abXFER.exe
  -yue
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0be0502abXFER.exe

Filesize
4.5MB

MD5
363dce13443ee8f1d235e6950ab608f6

SHA1
53f2cb1eafa7741e8b05d6f48bd7d86b2b0baebe

SHA256
7e80f58a8d6a5332efcd7a3f38ba6cafd8117ab9964cb98e585d5d3163f1f3bd

SHA512
39e7fcfee375b209d7729c97fffd540c60960ae54ff076ee00f6711d6ead347e7aa96cadd0182649a6772f0fdb31f37b74e7580187833c37b84dbce9a6672ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0be0502abXFER.exe

Filesize
4.5MB

MD5
363dce13443ee8f1d235e6950ab608f6

SHA1
53f2cb1eafa7741e8b05d6f48bd7d86b2b0baebe

SHA256
7e80f58a8d6a5332efcd7a3f38ba6cafd8117ab9964cb98e585d5d3163f1f3bd

SHA512
39e7fcfee375b209d7729c97fffd540c60960ae54ff076ee00f6711d6ead347e7aa96cadd0182649a6772f0fdb31f37b74e7580187833c37b84dbce9a6672ca3

Download Submit