Overview

overview

8

Static

static

c2b83546d8...00.exe

windows7-x64

8

c2b83546d8...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    47s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe

  • Size

    522KB

  • MD5

    4ec00f2771e10aa8161565beffbf323f

  • SHA1

    23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

  • SHA256

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

  • SHA512

    fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

  • SSDEEP

    3072:bmwYjnHUSIi8ILvftdWd4sDXCiyEu8Zm0S5onyUnTJtJFJCJS45OPRbFz9:q3jnHUSx8afnXO6UhS5SFJCA48PRd9

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe
    "C:\Users\Admin\AppData\Local\Temp\c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\PopeSvr.exe
      C:\Windows\PopeSvr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Delme.bat
      2⤵
      • Deletes itself
      PID:1232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Delme.bat
    Filesize

    248B

    MD5

    11d936f33af6c1ece1a4bb87a7f94d11

    SHA1

    08fd100eb80cefcda272729aedde7feaa2f5d226

    SHA256

    fc56735e1f7cd355db4add3c5eba861817dd3917c9cf525d5679341ca0fece85

    SHA512

    f5dfa2e8ecabd41de62ebf4cb79937ed7cf8f57bc5a30bfa69202f01b1331b0b8ae25ba2894054c0832e68092c45efb88826dee90cb6e3a7b8819c6484f8f6dd

    Download Submit

  • C:\Windows\PopeSvr.exe
    Filesize

    522KB

    MD5

    4ec00f2771e10aa8161565beffbf323f

    SHA1

    23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

    SHA256

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

    SHA512

    fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

    Download Submit

  • C:\Windows\PopeSvr.exe
    Filesize

    522KB

    MD5

    4ec00f2771e10aa8161565beffbf323f

    SHA1

    23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

    SHA256

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

    SHA512

    fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

    Download Submit

  • memory/1232-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1380-58-0x0000000000400000-0x0000000000465500-memory.dmp

    Filesize

    405KB

    Download

  • memory/1672-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-60-0x0000000000400000-0x0000000000465500-memory.dmp

    Filesize

    405KB

    Download