Overview

overview

8

Static

static

c2b83546d8...00.exe

windows7-x64

8

c2b83546d8...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe

  • Size

    522KB

  • MD5

    4ec00f2771e10aa8161565beffbf323f

  • SHA1

    23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

  • SHA256

    c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

  • SHA512

    fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

  • SSDEEP

    3072:bmwYjnHUSIi8ILvftdWd4sDXCiyEu8Zm0S5onyUnTJtJFJCJS45OPRbFz9:q3jnHUSx8afnXO6UhS5SFJCA48PRd9

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe
    "C:\Users\Admin\AppData\Local\Temp\c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\PopeSvr.exe
      C:\Windows\PopeSvr.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Delme.bat
      2⤵
        PID:4376

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Delme.bat
      Filesize

      248B

      MD5

      11d936f33af6c1ece1a4bb87a7f94d11

      SHA1

      08fd100eb80cefcda272729aedde7feaa2f5d226

      SHA256

      fc56735e1f7cd355db4add3c5eba861817dd3917c9cf525d5679341ca0fece85

      SHA512

      f5dfa2e8ecabd41de62ebf4cb79937ed7cf8f57bc5a30bfa69202f01b1331b0b8ae25ba2894054c0832e68092c45efb88826dee90cb6e3a7b8819c6484f8f6dd

      Download Submit

    • C:\Windows\PopeSvr .dll
      Filesize

      16KB

      MD5

      1ed34734b8c35238b525ac2797bee5fa

      SHA1

      c13467e3671e28b5eaeb83f2c2f414ba5bf810d7

      SHA256

      919858e1cd7fdd386a3bbc1c106594a4774464177643999be264d4114bd36e61

      SHA512

      31e70fc2a03bef8486d7b979fcc0f7826d0d0fb891a571da03a2ce49fa03f01ffe4bb01823f046daa86dc6ea737dcbf5eef3582ecb1b1ac3d07f510fe6b3fbd5

      Download Submit

    • C:\Windows\PopeSvr .dll
      Filesize

      16KB

      MD5

      1ed34734b8c35238b525ac2797bee5fa

      SHA1

      c13467e3671e28b5eaeb83f2c2f414ba5bf810d7

      SHA256

      919858e1cd7fdd386a3bbc1c106594a4774464177643999be264d4114bd36e61

      SHA512

      31e70fc2a03bef8486d7b979fcc0f7826d0d0fb891a571da03a2ce49fa03f01ffe4bb01823f046daa86dc6ea737dcbf5eef3582ecb1b1ac3d07f510fe6b3fbd5

      Download Submit

    • C:\Windows\PopeSvr.exe
      Filesize

      522KB

      MD5

      4ec00f2771e10aa8161565beffbf323f

      SHA1

      23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

      SHA256

      c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

      SHA512

      fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

      Download Submit

    • C:\Windows\PopeSvr.exe
      Filesize

      522KB

      MD5

      4ec00f2771e10aa8161565beffbf323f

      SHA1

      23495a5f86f6a2240ccc701a7dbaa5792c6ecd81

      SHA256

      c2b83546d82e326171d0076dda3316325ad634a9425e58f659496daf22418800

      SHA512

      fe007ed186449e565823d2399f227b77664db3b74e52b5e76272950300348b77c03a7ee0d27c0178c4d56d8f699733836f55dc50dd963cf95e2994666de1d97d

      Download Submit

    • memory/2608-132-0x0000000000000000-mapping.dmp

      Download

    • memory/2608-137-0x00000000005E1000-0x00000000005E4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2608-140-0x0000000000400000-0x0000000000465500-memory.dmp

      Filesize

      405KB

      Download

    • memory/4376-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4876-139-0x0000000000400000-0x0000000000465500-memory.dmp

      Filesize

      405KB

      Download