Analysis

  • max time kernel
    185s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2022, 01:26

General

  • Target

    bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe

  • Size

    46KB

  • MD5

    51fc1d781070922b5ad5b6daf8640601

  • SHA1

    b3b4687879ec41d73501cd8952789cfc7a0a935b

  • SHA256

    bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825

  • SHA512

    edd130fc131c1f6490631be0c421d8d3150e9dcc8bb6104e1d5f6242c3f42140ef8293e0466f69fbae128bc43967aeeb8bb1413731e7ed96942a35cc4969fbb5

  • SSDEEP

    768:1A5yubitSZH3PNGh5AEl3DXvBIsR7TZGTOVRp4nrdP5N1CETAgYmi5GIFEEUf:1A5yubitSZlmt1jusiTuGnrp/xAgm5GJ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe
    "C:\Users\Admin\AppData\Local\Temp\bcfd19a6967154afd69692cff06341767e0f57adf5e6142f8980a6fb80879825.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Program Files (x86)\7126765.exe
      "C:\Program Files (x86)\7126765.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\ixhevftpbb.td
        C:\Windows\system32\ixhevftpbb.td
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Windows\system32\lauugnjkhb.sd,mymain
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1980

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\7126765.exe

          Filesize

          38KB

          MD5

          7ef25ed47310801fc6475e7b435e2526

          SHA1

          30df1a005370770c30345be4d98f829ac8a6bb4c

          SHA256

          0e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96

          SHA512

          48256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b

        • C:\Program Files (x86)\7126765.exe

          Filesize

          38KB

          MD5

          7ef25ed47310801fc6475e7b435e2526

          SHA1

          30df1a005370770c30345be4d98f829ac8a6bb4c

          SHA256

          0e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96

          SHA512

          48256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b

        • C:\Windows\SysWOW64\ixhevftpbb.td

          Filesize

          36KB

          MD5

          1dc9eb7e7bd05591046a37987d97fdf8

          SHA1

          7b9c000f3b410890319b06be44c0b96bfba7f923

          SHA256

          129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498

          SHA512

          98946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8

        • C:\Windows\SysWOW64\ixhevftpbb.td

          Filesize

          36KB

          MD5

          1dc9eb7e7bd05591046a37987d97fdf8

          SHA1

          7b9c000f3b410890319b06be44c0b96bfba7f923

          SHA256

          129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498

          SHA512

          98946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8

        • C:\Windows\SysWOW64\lauugnjkhb.sd

          Filesize

          64KB

          MD5

          2adf81c083fe7ece03eaa98f3d69e147

          SHA1

          1707429b0e674f574f7708d7ba84f4539d61ab5f

          SHA256

          59cd2cfaa2111253d8967a423448912f8ab55db9e6ca77a2175c7384bda30e2f

          SHA512

          b3b0809dbf55bc529b57d544b49c558814c3cddf7984278d6f45f66639c5912e7e8de2a52cdf59fe2ca07c460c31e9209a1d05223a218afb1433f6e2ecb2733a

        • \Program Files (x86)\7126765.exe

          Filesize

          38KB

          MD5

          7ef25ed47310801fc6475e7b435e2526

          SHA1

          30df1a005370770c30345be4d98f829ac8a6bb4c

          SHA256

          0e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96

          SHA512

          48256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b

        • \Program Files (x86)\7126765.exe

          Filesize

          38KB

          MD5

          7ef25ed47310801fc6475e7b435e2526

          SHA1

          30df1a005370770c30345be4d98f829ac8a6bb4c

          SHA256

          0e302adce1f4ae8cc52cea6a0c3ea8c8de9e9bf3f71580fc94d2c2e90cf11c96

          SHA512

          48256a88a778119c02f4b5c3240b6bb377661fa8b11b9b1aafb41e75330940a846909b20ff3d4cc059e3b6fe2690e2be5ef27e996d2f0fcd523182a160a6546b

        • \Windows\SysWOW64\ixhevftpbb.td

          Filesize

          36KB

          MD5

          1dc9eb7e7bd05591046a37987d97fdf8

          SHA1

          7b9c000f3b410890319b06be44c0b96bfba7f923

          SHA256

          129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498

          SHA512

          98946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8

        • \Windows\SysWOW64\ixhevftpbb.td

          Filesize

          36KB

          MD5

          1dc9eb7e7bd05591046a37987d97fdf8

          SHA1

          7b9c000f3b410890319b06be44c0b96bfba7f923

          SHA256

          129399ffc83e4b09798763e475694539c9c906203b5f7bd22e4b3efee4da2498

          SHA512

          98946c165f5fae1c47b83039191ebbbe4b591590306343eaf33270c04e8b169f5b6e889c106cec1667eed4ccb2ddec58e04f1538a674460c3393dae8ffd197f8

        • \Windows\SysWOW64\lauugnjkhb.sd

          Filesize

          64KB

          MD5

          2adf81c083fe7ece03eaa98f3d69e147

          SHA1

          1707429b0e674f574f7708d7ba84f4539d61ab5f

          SHA256

          59cd2cfaa2111253d8967a423448912f8ab55db9e6ca77a2175c7384bda30e2f

          SHA512

          b3b0809dbf55bc529b57d544b49c558814c3cddf7984278d6f45f66639c5912e7e8de2a52cdf59fe2ca07c460c31e9209a1d05223a218afb1433f6e2ecb2733a

        • memory/908-54-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/908-55-0x00000000751A1000-0x00000000751A3000-memory.dmp

          Filesize

          8KB

        • memory/1684-64-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB