98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 15:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
Size

1.6MB
MD5

74b0f8815e3ce8bcaf255bfae2d57eb9
SHA1

b9a8c81c2c8b2b7393f8c59e191abdbc2b958e21
SHA256

98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e
SHA512

d192ecad0e0f37d1a3584c29ab7d1ecc24e69f7b52929d6fe0776e421366591c4755baa6dc6e37154f96c94336f38e8682596b2938a4a175b367d23c8b0af47e
SSDEEP

49152:CuWr4tN7MZplxU4vpDWlzUaCsk1cP3h0HWlNZrs:CuWW7MbbYlzUaCrEx0HWlbs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2960	2Xbd1e19361.exe
2620	faceAImod.exe

Loads dropped DLL 13 IoCs

pid	Process
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
2620	faceAImod.exe
2620	faceAImod.exe
2620	faceAImod.exe
2620	faceAImod.exe
2620	faceAImod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	faceAImod.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	2Xbd1e19361.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2960	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	28
PID 1456 wrote to memory of 2960	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	28
PID 1456 wrote to memory of 2960	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	28
PID 1456 wrote to memory of 2960	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	28
PID 1456 wrote to memory of 2620	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	29
PID 1456 wrote to memory of 2620	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	29
PID 1456 wrote to memory of 2620	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	29
PID 1456 wrote to memory of 2620	1456	98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe	29

C:\Users\Admin\AppData\Local\Temp\98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe
"C:\Users\Admin\AppData\Local\Temp\98ebe202ebf1bfe4c8d49f944c1708728191f93eb12ae98f23ac411b6eeda20e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe
  "C:\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\faceAImod.exe
  "C:\Users\Admin\AppData\Local\Temp\faceAImod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4625.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
\Users\Admin\AppData\Local\Temp\2Xbd1e19361.exe

Filesize
351KB

MD5
630a032f2c69643486c0c3f94eedf9f0

SHA1
f60212e5fd55b480dd230506494872d81f5fad4a

SHA256
3052a3cb3ca756b77a0a9b0b59034fd402f1904964a7e31e790d4367bc6855f0

SHA512
d361a4d931bd55b69c98e3b89eeaed6c733a1471b81eec9ac1113b32cf92d77102e36e55cb93cda9f48cb9bbe2b8b37980ab9e5cf963659ed8ef3db11a7358bb

Download Submit
\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
\Users\Admin\AppData\Local\Temp\faceAImod.exe

Filesize
182KB

MD5
e82ba2b49496d360b383599b3c6630a9

SHA1
b7f2024848f80aa19b81c91013fec35dfbe32fe7

SHA256
6d2ad184721872cd6cc1de401a0964273205cb65415b29e87289c5e286b0a85d

SHA512
6f75cda806712901c5a754efd4f6322a47c71a85078f5c0fcaf2226dbef1015fad403aacbfe0235fcc687e3b93bb95115f426f5ee9432bbe4653b848a55f21d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4625.tmp\CPUFeatures.dll

Filesize
9KB

MD5
8dbdb1e97b8bb2a24412dd2a8995fb73

SHA1
718f255611dcaca48679d11edcd4ccc4b70558e3

SHA256
4e4099a55fc7243f98b42041ad3052c0f04979597c76b43a4f95fa548bf69ad7

SHA512
db95fb87f3e6b1333b857b26b80bde18b63f7b07e42cd640c310478dd327b4b1ea8a6b6dba8404ba95e3e5217112f169ed900971b409b2eb4033b99b890e5c50

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4625.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4625.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4625.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4625.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit