f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09-10-2023 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
Size

2.6MB
MD5

3a6e8875064d719770b270e5437ce141
SHA1

57c1c28d42b9f1c7550ded4b0ccfb63913d441e0
SHA256

f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7
SHA512

2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837
SSDEEP

49152:JeFaVwL5NVFghgVaEyDythI8HK7noTBHSZLK0BoF3y5i6d:uay9XvMlDkhI84eHSZNBoF3X6d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2284	WindowsIT.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2284	WindowsIT.EXE
2284	WindowsIT.EXE
2284	WindowsIT.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2284	3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	28
PID 3064 wrote to memory of 2284	3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	28
PID 3064 wrote to memory of 2284	3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	28
PID 3064 wrote to memory of 2284	3064	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	28

C:\Users\Admin\AppData\Local\Temp\f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
"C:\Users\Admin\AppData\Local\Temp\f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064
- C:\WindowsIT.EXE
  "C:\WindowsIT.EXE " /service
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WindowsIT.EXE

Filesize
2.6MB

MD5
3a6e8875064d719770b270e5437ce141

SHA1
57c1c28d42b9f1c7550ded4b0ccfb63913d441e0

SHA256
f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

SHA512
2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837

Download Submit
C:\WindowsIT.EXE

Filesize
2.6MB

MD5
3a6e8875064d719770b270e5437ce141

SHA1
57c1c28d42b9f1c7550ded4b0ccfb63913d441e0

SHA256
f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

SHA512
2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837

Download Submit
C:\WindowsIbrc_Server.dat

Filesize
218B

MD5
fc7c14b32d338af40e757510429ddae3

SHA1
6fd47e899f103df8c5d6f0d4355a05153606c45e

SHA256
ba01cb9091a73b34e9902948e527c2de420051ab6c2b3afa3c6d30a871f27476

SHA512
9bee0e9868214a492072c48fcde508e1307d7031bf4200e8be2c25ff8ce7ee60238d6806350fe7de3413c214379effcfb65317382427060fb4b13557a669ac2b

Download Submit
memory/2284-11-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2284-12-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2284-14-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/2284-16-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/3064-0-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/3064-1-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/3064-2-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/3064-10-0x0000000002B90000-0x000000000307D000-memory.dmp

Filesize
4.9MB

Download
memory/3064-15-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download