83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
Size

2.6MB
MD5

cf452457e489d0456e94f9c143287b24
SHA1

f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1
SHA256

83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb
SHA512

9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a
SSDEEP

49152:guo6xKnoY2xMCgsG8KI1rmttJffLCl3kHM1/:q6xKnBZTsGpKrmtffLCl3R1/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	WindowsIT.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
1456	WindowsIT.EXE
1456	WindowsIT.EXE
1456	WindowsIT.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1456	2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	28
PID 2028 wrote to memory of 1456	2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	28
PID 2028 wrote to memory of 1456	2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	28
PID 2028 wrote to memory of 1456	2028	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	28

C:\Users\Admin\AppData\Local\Temp\83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\WindowsIT.EXE
  "C:\WindowsIT.EXE " /service
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WindowsIT.EXE

Filesize
2.6MB

MD5
cf452457e489d0456e94f9c143287b24

SHA1
f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1

SHA256
83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

SHA512
9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a

Download Submit
C:\WindowsIT.EXE

Filesize
2.6MB

MD5
cf452457e489d0456e94f9c143287b24

SHA1
f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1

SHA256
83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

SHA512
9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a

Download Submit
C:\WindowsIbrc_Server.dat

Filesize
218B

MD5
fc7c14b32d338af40e757510429ddae3

SHA1
6fd47e899f103df8c5d6f0d4355a05153606c45e

SHA256
ba01cb9091a73b34e9902948e527c2de420051ab6c2b3afa3c6d30a871f27476

SHA512
9bee0e9868214a492072c48fcde508e1307d7031bf4200e8be2c25ff8ce7ee60238d6806350fe7de3413c214379effcfb65317382427060fb4b13557a669ac2b

Download Submit
memory/1456-11-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/1456-13-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/1456-14-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1456-17-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2028-2-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2028-10-0x0000000002E00000-0x0000000003368000-memory.dmp

Filesize
5.4MB

Download
memory/2028-0-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2028-12-0x0000000002E00000-0x0000000003368000-memory.dmp

Filesize
5.4MB

Download
memory/2028-1-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2028-16-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download