Analysis
-
max time kernel
185s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/12/2022, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe
Resource
win10v2004-20221111-en
General
-
Target
bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe
-
Size
46KB
-
MD5
51fc1d781070922b5ad5b6daf8640601
-
SHA1
b3b4687879ec41d73501cd8952789cfc7a0a935b
-
SHA256
bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825
-
SHA512
edd130fc131c1f6490631be0c421d8d3150e9dcc8bb6104e1d5f6242c3f42140ef8293e0466f69fbae128bc43967aeeb8bb1413731e7ed96942a35cc4969fbb5
-
SSDEEP
768:1A5yubitSZH3PNGh5AEl3DXvBIsR7TZGTOVRp4nrdP5N1CETAgYmi5GIFEEUf:1A5yubitSZlmt1jusiTuGnrp/xAgm5GJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1684 7126765.exe 1588 ixhevftpbb.td -
Loads dropped DLL 5 IoCs
pid Process 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 1684 7126765.exe 1684 7126765.exe 1980 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SetUp.inf 7126765.exe File opened for modification C:\Windows\SysWOW64\SetUp.inf 7126765.exe File created C:\Windows\SysWOW64\lauugnjkhb.sd 7126765.exe File created C:\Windows\SysWOW64\ixhevftpbb.td 7126765.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\7126765.exe bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\run.bat 7126765.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 7126765.exe 1684 7126765.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe 1980 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1684 7126765.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1980 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 908 wrote to memory of 1684 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 28 PID 908 wrote to memory of 1684 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 28 PID 908 wrote to memory of 1684 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 28 PID 908 wrote to memory of 1684 908 bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe 28 PID 1684 wrote to memory of 1588 1684 7126765.exe 29 PID 1684 wrote to memory of 1588 1684 7126765.exe 29 PID 1684 wrote to memory of 1588 1684 7126765.exe 29 PID 1684 wrote to memory of 1588 1684 7126765.exe 29 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30 PID 1588 wrote to memory of 1980 1588 ixhevftpbb.td 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe"C:\Users\Admin\AppData\Local\Temp\bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Program Files (x86)\7126765.exe"C:\Program Files (x86)\7126765.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\ixhevftpbb.tdC:\Windows\system32\ixhevftpbb.td3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\lauugnjkhb.sd,mymain4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD57ef25ed47310801fc6475e7b435e2526
SHA130df1a005370770c30345be4d98f829ac8a6bb4c
SHA2560e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96
SHA51248256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b
-
Filesize
38KB
MD57ef25ed47310801fc6475e7b435e2526
SHA130df1a005370770c30345be4d98f829ac8a6bb4c
SHA2560e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96
SHA51248256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b
-
Filesize
36KB
MD51dc9eb7e7bd05591046a37987d97fdf8
SHA17b9c000f3b410890319b06be44c0b96bfba7f923
SHA256129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498
SHA51298946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8
-
Filesize
36KB
MD51dc9eb7e7bd05591046a37987d97fdf8
SHA17b9c000f3b410890319b06be44c0b96bfba7f923
SHA256129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498
SHA51298946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8
-
Filesize
64KB
MD52adf81c083fe7ece03eaa98f3d69e147
SHA11707429b0e674f574f7708d7ba84f4539d61ab5f
SHA25659cd2cfaa2111253d8967a423448912f8ab55db9e6ca77a2175c7384bda30e2f
SHA512b3b0809dbf55bc529b57d544b49c558814c3cddf7984278d6f45f66639c5912e7e8de2a52cdf59fe2ca07c460c31e9209a1d05223a218afb1433f6e2ecb2733a
-
Filesize
38KB
MD57ef25ed47310801fc6475e7b435e2526
SHA130df1a005370770c30345be4d98f829ac8a6bb4c
SHA2560e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96
SHA51248256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b
-
Filesize
38KB
MD57ef25ed47310801fc6475e7b435e2526
SHA130df1a005370770c30345be4d98f829ac8a6bb4c
SHA2560e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96
SHA51248256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b
-
Filesize
36KB
MD51dc9eb7e7bd05591046a37987d97fdf8
SHA17b9c000f3b410890319b06be44c0b96bfba7f923
SHA256129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498
SHA51298946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8
-
Filesize
36KB
MD51dc9eb7e7bd05591046a37987d97fdf8
SHA17b9c000f3b410890319b06be44c0b96bfba7f923
SHA256129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498
SHA51298946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8
-
Filesize
64KB
MD52adf81c083fe7ece03eaa98f3d69e147
SHA11707429b0e674f574f7708d7ba84f4539d61ab5f
SHA25659cd2cfaa2111253d8967a423448912f8ab55db9e6ca77a2175c7384bda30e2f
SHA512b3b0809dbf55bc529b57d544b49c558814c3cddf7984278d6f45f66639c5912e7e8de2a52cdf59fe2ca07c460c31e9209a1d05223a218afb1433f6e2ecb2733a