e9df73ff08db56ccdec79085882758c999131f1f275f7460a93a5cf6b4430758

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-03-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

46d4d96080568562d753844bce9da29a
SHA1

8b48f979e9879fc30299899947e7f13dd4547420
SHA256

e9df73ff08db56ccdec79085882758c999131f1f275f7460a93a5cf6b4430758
SHA512

4f20941a101483d92fb7b3bb88612a5c7e5a06b20bddf5912a0eebb15d863707cbecbbe4587eb8698d87ea13aee4ee85df20c1596371267e5d72d90f0def6cdb
SSDEEP

24576:17kZHTKw4ZL4j/kJ5/c+5ozolSHtn2mKgSNe5FOphi0joI19H:17kH/kJqsS0mK9WOzi0v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

7102491.zCG

pid process

1060 7102491.zCG
Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

1108 tmp.exe
1108 tmp.exe

Drops file in Windows directory 5 IoCs

Processes:

tmp.exe

description	ioc	process
File created	\??\c:\windows\Fr5d.bat	tmp.exe
File created	C:\Windows\Help\7091509.v7b	tmp.exe
File created	C:\Windows\Help\7100541.w1u	tmp.exe
File created	C:\Windows\Help\7102491.1y1	tmp.exe
File created	C:\Windows\Help\7102491.zCG	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exe

pid	process
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe
1108	tmp.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

7102491.zCG

pid	process
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG
1060	7102491.zCG

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1108 wrote to memory of 1060	1108	tmp.exe	7102491.zCG
PID 1108 wrote to memory of 1060	1108	tmp.exe	7102491.zCG
PID 1108 wrote to memory of 1060	1108	tmp.exe	7102491.zCG
PID 1108 wrote to memory of 1060	1108	tmp.exe	7102491.zCG

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Help\7102491.zCG
C:\Windows\Help\7102491.zCG 532A4C47797E747F67634C58757C604C272120222429213E2169215028252854562853265551522227552920535122242052522820512627252729243E6A7960506C2222233E2121233E2124233E2222256C24273E29263E2121223E2224226C
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\858df8c6eab27e90ca240bb80a675794[1].zip

Filesize
931B

MD5
684d63698798838a506ca03acb452302

SHA1
02333b2811dfd586e57cada70e436f88bc70b7d6

SHA256
b42399f101ec1710e13c32f2be9b22d0fd344dd904fa3f40a658c7594515ce7a

SHA512
4070f94519f11ba75d5f75ad47b7eb1a65adffac6884179b58f5c65c6a6c04f849d54669ffe3b00f86837dca594f85675e4628df52da9d250803c17fcac836a6

Download Submit
C:\Windows\Help\7102491.zCG

Filesize
904KB

MD5
fa810e84a8a159d3ca4f722a7eb63e3b

SHA1
4059c7e715dc2de9c8aa63fc04f8b3ee8135b3fa

SHA256
7fdb7a3425d5d638183e32b3944d0763debdb6221c8f8f49156ab37b5118bbbc

SHA512
4f5c41c4251eb069f18c84eda7e24042ed2521154b5cbcdbd10b3c70f90d081652d559b6ae4fbef1de0efbee5e64e5fb45e143363d852a9e31ce602e17370903

Download Submit
C:\Windows\Help\7102491.zCG

Filesize
904KB

MD5
fa810e84a8a159d3ca4f722a7eb63e3b

SHA1
4059c7e715dc2de9c8aa63fc04f8b3ee8135b3fa

SHA256
7fdb7a3425d5d638183e32b3944d0763debdb6221c8f8f49156ab37b5118bbbc

SHA512
4f5c41c4251eb069f18c84eda7e24042ed2521154b5cbcdbd10b3c70f90d081652d559b6ae4fbef1de0efbee5e64e5fb45e143363d852a9e31ce602e17370903

Download Submit
\Windows\Help\7102491.zCG

Filesize
904KB

MD5
fa810e84a8a159d3ca4f722a7eb63e3b

SHA1
4059c7e715dc2de9c8aa63fc04f8b3ee8135b3fa

SHA256
7fdb7a3425d5d638183e32b3944d0763debdb6221c8f8f49156ab37b5118bbbc

SHA512
4f5c41c4251eb069f18c84eda7e24042ed2521154b5cbcdbd10b3c70f90d081652d559b6ae4fbef1de0efbee5e64e5fb45e143363d852a9e31ce602e17370903

Download Submit
\Windows\Help\7102491.zCG

Filesize
904KB

MD5
fa810e84a8a159d3ca4f722a7eb63e3b

SHA1
4059c7e715dc2de9c8aa63fc04f8b3ee8135b3fa

SHA256
7fdb7a3425d5d638183e32b3944d0763debdb6221c8f8f49156ab37b5118bbbc

SHA512
4f5c41c4251eb069f18c84eda7e24042ed2521154b5cbcdbd10b3c70f90d081652d559b6ae4fbef1de0efbee5e64e5fb45e143363d852a9e31ce602e17370903

Download Submit