ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

Resubmissions

24-10-2023 11:11

231024-namr9sec72 7

04-05-2023 14:14

230504-rkbpjaeg4z 7

04-05-2023 13:14

230504-qgxbdsed21 7

04-05-2023 13:00

230504-p8zp6aec6v 7

Analysis

max time kernel
2340s
max time network
2332s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe
Size

379KB
MD5

5f8df2bcae1b4481ca54d36ed6039871
SHA1

abf4f7df4825124746d2837e844dd15a70ce281f
SHA256

ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0
SHA512

11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243
SSDEEP

6144:wUot+HVpByFEqugEzjMNSXna+ThijOmKSEY9HUAu3h:wUot2VHyyqBEaUna+Tkq1STHUdR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
848	ujkj483f2s8wqkkzjco.exe
1292	jnkjrpxv.exe
1004	uxxctxhkklpb.exe

Loads dropped DLL 6 IoCs

pid	Process
1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe
1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe
848	ujkj483f2s8wqkkzjco.exe
848	ujkj483f2s8wqkkzjco.exe
1292	jnkjrpxv.exe
1292	jnkjrpxv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interface CardSpace Counter Collector Source = "C:\\nnyffhdbb\\jnkjrpxv.exe"	ujkj483f2s8wqkkzjco.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\nnyffhdbb\ztjaxzu1xitq	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe
File created	C:\Windows\nnyffhdbb\ztjaxzu1xitq	ujkj483f2s8wqkkzjco.exe
File created	C:\Windows\nnyffhdbb\ztjaxzu1xitq	jnkjrpxv.exe
File created	C:\Windows\nnyffhdbb\ztjaxzu1xitq	uxxctxhkklpb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	jnkjrpxv.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe
1004	uxxctxhkklpb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 848	1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe	27
PID 1240 wrote to memory of 848	1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe	27
PID 1240 wrote to memory of 848	1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe	27
PID 1240 wrote to memory of 848	1240	ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe	27
PID 848 wrote to memory of 1292	848	ujkj483f2s8wqkkzjco.exe	28
PID 848 wrote to memory of 1292	848	ujkj483f2s8wqkkzjco.exe	28
PID 848 wrote to memory of 1292	848	ujkj483f2s8wqkkzjco.exe	28
PID 848 wrote to memory of 1292	848	ujkj483f2s8wqkkzjco.exe	28
PID 1292 wrote to memory of 1004	1292	jnkjrpxv.exe	29
PID 1292 wrote to memory of 1004	1292	jnkjrpxv.exe	29
PID 1292 wrote to memory of 1004	1292	jnkjrpxv.exe	29
PID 1292 wrote to memory of 1004	1292	jnkjrpxv.exe	29

C:\Users\Admin\AppData\Local\Temp\ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe
"C:\Users\Admin\AppData\Local\Temp\ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1240
- C:\nnyffhdbb\ujkj483f2s8wqkkzjco.exe
  "C:\nnyffhdbb\ujkj483f2s8wqkkzjco.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\nnyffhdbb\jnkjrpxv.exe
    "C:\nnyffhdbb\jnkjrpxv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\nnyffhdbb\uxxctxhkklpb.exe
      ckocrpixoc6d "c:\nnyffhdbb\jnkjrpxv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\nnyffhdbb\jnkjrpxv.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
C:\nnyffhdbb\ujkj483f2s8wqkkzjco.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
C:\nnyffhdbb\ujkj483f2s8wqkkzjco.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
C:\nnyffhdbb\uxxctxhkklpb.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
C:\nnyffhdbb\ymcsuooylc

Filesize
4B

MD5
3464b02d3d97f1b4a21669b191abc38c

SHA1
4810ddd213dc313d7bbae83bbdcfcd1b4a97a02c

SHA256
bbba72f6aa3153ad883067e1d337fefef796edd6e0b868385345579d16c3de27

SHA512
d9d107a16cccc4018a33c86876a80f7325da7bf1813a325b3df55a1b7d8300bcf36158cc925ccbecf4153a7fc82f8bb6814c0ade0879bc6b8361d10725651bda

Download Submit
C:\nnyffhdbb\ztjaxzu1xitq

Filesize
11B

MD5
bc89882b2acd8bf7ec0e7ccb20630427

SHA1
16bf24823495c3cb8b48f2db956c7f8ad8c13590

SHA256
b6270b86135e287b6dc087720b4b24bd330ddf6c8a668a16176e7dbd7400d7a2

SHA512
35a33e6a43a72b9c290e720785585043698556a24552c6c061d2efacb4b7e87205e54ec83fcd206e47f2d0993b575276e0ae8fb7a7b79f6e6485dc7cdb53c4f2

Download Submit
C:\nnyffhdbb\ztjaxzu1xitq

Filesize
11B

MD5
bc89882b2acd8bf7ec0e7ccb20630427

SHA1
16bf24823495c3cb8b48f2db956c7f8ad8c13590

SHA256
b6270b86135e287b6dc087720b4b24bd330ddf6c8a668a16176e7dbd7400d7a2

SHA512
35a33e6a43a72b9c290e720785585043698556a24552c6c061d2efacb4b7e87205e54ec83fcd206e47f2d0993b575276e0ae8fb7a7b79f6e6485dc7cdb53c4f2

Download Submit
C:\nnyffhdbb\ztjaxzu1xitq

Filesize
11B

MD5
bc89882b2acd8bf7ec0e7ccb20630427

SHA1
16bf24823495c3cb8b48f2db956c7f8ad8c13590

SHA256
b6270b86135e287b6dc087720b4b24bd330ddf6c8a668a16176e7dbd7400d7a2

SHA512
35a33e6a43a72b9c290e720785585043698556a24552c6c061d2efacb4b7e87205e54ec83fcd206e47f2d0993b575276e0ae8fb7a7b79f6e6485dc7cdb53c4f2

Download Submit
C:\nnyffhdbb\ztjaxzu1xitq

Filesize
11B

MD5
bc89882b2acd8bf7ec0e7ccb20630427

SHA1
16bf24823495c3cb8b48f2db956c7f8ad8c13590

SHA256
b6270b86135e287b6dc087720b4b24bd330ddf6c8a668a16176e7dbd7400d7a2

SHA512
35a33e6a43a72b9c290e720785585043698556a24552c6c061d2efacb4b7e87205e54ec83fcd206e47f2d0993b575276e0ae8fb7a7b79f6e6485dc7cdb53c4f2

Download Submit
\??\c:\nnyffhdbb\jnkjrpxv.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\??\c:\nnyffhdbb\ujkj483f2s8wqkkzjco.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\jnkjrpxv.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\jnkjrpxv.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\ujkj483f2s8wqkkzjco.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\ujkj483f2s8wqkkzjco.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\uxxctxhkklpb.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit
\nnyffhdbb\uxxctxhkklpb.exe

Filesize
379KB

MD5
5f8df2bcae1b4481ca54d36ed6039871

SHA1
abf4f7df4825124746d2837e844dd15a70ce281f

SHA256
ffebb11e0554bdc643b74a9c2bf41bef1179ec7f7b38f7bd9dba879995f6dde0

SHA512
11bf202a598653453aeb8d2b03bf4e1c54c6939f11265192cb732c509002c5bca650f4326fd804982ff4a6811d2640fc38cf70aab4a8ff8e9b58aea3c9dc4243

Download Submit