16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485

Analysis

max time kernel
119s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-09-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe
Size

15.8MB
MD5

0944a255dc538637d50e4cf57fce37b7
SHA1

2ab7ea8758bfda4b49e0795b91be032838869de6
SHA256

16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485
SHA512

9a212c47ed5995c855ebe681138d7d39ab70ebabd7b043619154d4e09ebd06f760685823dd55d83113482ef4b590c0b66d45f3294e0d9f6ea8663a391755cfd2
SSDEEP

393216:gqDInNQIfnJqbpTpgtMAENecvZPu3eTlMqW4Zko4xzfRo:gqDInqoapd/HvZPu3eJv/54RR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
2652	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe
1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe
1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe
2744	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
2744	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2744	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	30
PID 1916 wrote to memory of 2744	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	30
PID 1916 wrote to memory of 2744	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	30
PID 1916 wrote to memory of 2744	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	30
PID 1916 wrote to memory of 2652	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	31
PID 1916 wrote to memory of 2652	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	31
PID 1916 wrote to memory of 2652	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	31
PID 1916 wrote to memory of 2652	1916	16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe	31

C:\Users\Admin\AppData\Local\Temp\16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe
"C:\Users\Admin\AppData\Local\Temp\16169842ccd4d126d088ffd33436afbdc3bca7b42f5abd9048557967b3c96485.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
  "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
91bd26025e951c1b99f8d48edb819892

SHA1
77974198b815daf19ff6e117bc9dab5b693b408d

SHA256
5cd7191d5616f27a6d368e80758a5319c509f7cfd4fc3d33e7997657d2f8405c

SHA512
060a185880eefffe3933a9f2c415beb46f305ed3692466118f38531a2c9b436ed67af887f465b26a09a0d9931b2a846381ad104653cc1fb775ea90823f7db199

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.9MB

MD5
4c81f34433e1fa1179d1d73a329f3490

SHA1
e7cd8be42aae1a8b7910083e6c5f0bd5dd087b72

SHA256
099cf1bf139b83a09e280280ab138abc85e3fb48313acae03b248e142c15962d

SHA512
8763ca0f8a758489435f5eed3720f66e79202e74fd98344c6ae5a4990cc62c561b761d2934d1da2490cdf9eff45ef7dd8810b07391bb64c1da2fa983ae5147ce

Download Submit
\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.9MB

MD5
4c81f34433e1fa1179d1d73a329f3490

SHA1
e7cd8be42aae1a8b7910083e6c5f0bd5dd087b72

SHA256
099cf1bf139b83a09e280280ab138abc85e3fb48313acae03b248e142c15962d

SHA512
8763ca0f8a758489435f5eed3720f66e79202e74fd98344c6ae5a4990cc62c561b761d2934d1da2490cdf9eff45ef7dd8810b07391bb64c1da2fa983ae5147ce

Download Submit
\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.9MB

MD5
4c81f34433e1fa1179d1d73a329f3490

SHA1
e7cd8be42aae1a8b7910083e6c5f0bd5dd087b72

SHA256
099cf1bf139b83a09e280280ab138abc85e3fb48313acae03b248e142c15962d

SHA512
8763ca0f8a758489435f5eed3720f66e79202e74fd98344c6ae5a4990cc62c561b761d2934d1da2490cdf9eff45ef7dd8810b07391bb64c1da2fa983ae5147ce

Download Submit
memory/1916-0-0x0000000000400000-0x00000000022BC000-memory.dmp

Filesize
30.7MB

Download
memory/2744-11-0x0000000000400000-0x00000000022C1000-memory.dmp

Filesize
30.8MB

Download