5764aa0b4452f55df2cf7b2cbb05e556b9456328130323333d4d9112f5c89d66

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 19:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9cf2c981c1e551e0593eeb15c09b618_JC.exe
Size

365KB
MD5

d9cf2c981c1e551e0593eeb15c09b618
SHA1

4d26642add02b0ac8865b0a38c55fa4f2c9e1efa
SHA256

5764aa0b4452f55df2cf7b2cbb05e556b9456328130323333d4d9112f5c89d66
SHA512

94bcc7a314d93786180e7c4a1c25f21163a9e8b50cb62d06679cba904d4d88e90b25f5a9be6adeae91995a11c8d0da23a0441bcc448cdd5d6d19c4c7702515f2
SSDEEP

6144:EgAHz0y4BJz6fK0l6x+zBPkEl4R/l/z1SszzDH:EgAHz03BUC0lfBkxR9/zxLH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1620	KPLZYVS.exe
2100	FDAKGI.exe
2696	KIFRYX.exe
2468	PIZXQLM.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	cmd.exe
2172	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\PIZXQLM.exe	KIFRYX.exe
File opened for modification	C:\windows\SysWOW64\PIZXQLM.exe	KIFRYX.exe
File created	C:\windows\SysWOW64\PIZXQLM.exe.bat	KIFRYX.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\windows\FDAKGI.exe	KPLZYVS.exe
File opened for modification	C:\windows\FDAKGI.exe	KPLZYVS.exe
File created	C:\windows\KIFRYX.exe	FDAKGI.exe
File created	C:\windows\FDAKGI.exe.bat	KPLZYVS.exe
File opened for modification	C:\windows\KIFRYX.exe	FDAKGI.exe
File created	C:\windows\KIFRYX.exe.bat	FDAKGI.exe
File created	C:\windows\KPLZYVS.exe	d9cf2c981c1e551e0593eeb15c09b618_JC.exe
File opened for modification	C:\windows\KPLZYVS.exe	d9cf2c981c1e551e0593eeb15c09b618_JC.exe
File created	C:\windows\KPLZYVS.exe.bat	d9cf2c981c1e551e0593eeb15c09b618_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe
1620	KPLZYVS.exe
2100	FDAKGI.exe
2696	KIFRYX.exe
2468	PIZXQLM.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe
2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe
1620	KPLZYVS.exe
1620	KPLZYVS.exe
2100	FDAKGI.exe
2100	FDAKGI.exe
2696	KIFRYX.exe
2696	KIFRYX.exe
2468	PIZXQLM.exe
2468	PIZXQLM.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 324	2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe	28
PID 2140 wrote to memory of 324	2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe	28
PID 2140 wrote to memory of 324	2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe	28
PID 2140 wrote to memory of 324	2140	d9cf2c981c1e551e0593eeb15c09b618_JC.exe	28
PID 324 wrote to memory of 1620	324	cmd.exe	30
PID 324 wrote to memory of 1620	324	cmd.exe	30
PID 324 wrote to memory of 1620	324	cmd.exe	30
PID 324 wrote to memory of 1620	324	cmd.exe	30
PID 1620 wrote to memory of 2060	1620	KPLZYVS.exe	32
PID 1620 wrote to memory of 2060	1620	KPLZYVS.exe	32
PID 1620 wrote to memory of 2060	1620	KPLZYVS.exe	32
PID 1620 wrote to memory of 2060	1620	KPLZYVS.exe	32
PID 2060 wrote to memory of 2100	2060	cmd.exe	33
PID 2060 wrote to memory of 2100	2060	cmd.exe	33
PID 2060 wrote to memory of 2100	2060	cmd.exe	33
PID 2060 wrote to memory of 2100	2060	cmd.exe	33
PID 2100 wrote to memory of 2612	2100	FDAKGI.exe	34
PID 2100 wrote to memory of 2612	2100	FDAKGI.exe	34
PID 2100 wrote to memory of 2612	2100	FDAKGI.exe	34
PID 2100 wrote to memory of 2612	2100	FDAKGI.exe	34
PID 2612 wrote to memory of 2696	2612	cmd.exe	37
PID 2612 wrote to memory of 2696	2612	cmd.exe	37
PID 2612 wrote to memory of 2696	2612	cmd.exe	37
PID 2612 wrote to memory of 2696	2612	cmd.exe	37
PID 2696 wrote to memory of 2172	2696	KIFRYX.exe	39
PID 2696 wrote to memory of 2172	2696	KIFRYX.exe	39
PID 2696 wrote to memory of 2172	2696	KIFRYX.exe	39
PID 2696 wrote to memory of 2172	2696	KIFRYX.exe	39
PID 2172 wrote to memory of 2468	2172	cmd.exe	41
PID 2172 wrote to memory of 2468	2172	cmd.exe	41
PID 2172 wrote to memory of 2468	2172	cmd.exe	41
PID 2172 wrote to memory of 2468	2172	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\d9cf2c981c1e551e0593eeb15c09b618_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d9cf2c981c1e551e0593eeb15c09b618_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\KPLZYVS.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\windows\KPLZYVS.exe
    C:\windows\KPLZYVS.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\FDAKGI.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\windows\FDAKGI.exe
        
        C:\windows\FDAKGI.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\KIFRYX.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\windows\KIFRYX.exe
        
        C:\windows\KIFRYX.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\PIZXQLM.exe.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\windows\SysWOW64\PIZXQLM.exe
        
        C:\windows\system32\PIZXQLM.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FDAKGI.exe

Filesize
365KB

MD5
22e25f4c5087f4bb1f3a57a6e0bf7dee

SHA1
f5dfe59260fa330d20b4fe9913d964662ca02bb2

SHA256
d0449371eb809aae060e3a7647134838cccc9eddefffb3114839a5275a06d5aa

SHA512
8d0a991675f035d37b7dda5f3d1d07ab6f1dbb387a7cdab879333579e466603269f1649ac9888fd4541e9fa1e79a6cff127557a41a4fe553badb87186a7b3ff2

Download Submit
C:\Windows\FDAKGI.exe

Filesize
365KB

MD5
e3c594e0b6a541c47d97c1852fb23b09

SHA1
3e8e967eeaaf674685329e33310ad4fa80b6e04e

SHA256
f2fb491d2a818d233f9a989a801e52985abd8093d42bb3cfdf4c3e8d06182002

SHA512
a78fec9c0ddc6dad7cb5fed634d65b170abc232aff049666f75868b167ae7bb7874ad91f53e262d714d150e079f031b28223e6160a6a44fb40d6abd55d65bc04

Download Submit
C:\Windows\FDAKGI.exe.bat

Filesize
58B

MD5
34a48bdc6677caa7a92b82eef41a9114

SHA1
3d4593911f4d730720084d48d51cac97f2fff113

SHA256
d1529308a7fd8b7e4d0f000a8a94e48176779a27458e83e976d33cb736638977

SHA512
a5c4a3bc96d2d7a9f0b99452de6ed04a239669035aff087813583e8afbfa161d5bb8b1edd1e2f6c63291bcf44b3d9077864c6913c971401dbc409ca920d88f3b

Download Submit
C:\Windows\KIFRYX.exe

Filesize
365KB

MD5
ee60e8a6a8883e0300eda5175704d9b2

SHA1
06ed443836b73dcfe367648557c8268782862036

SHA256
2b68ce6b28ef46a8b1ec2ee7e1eb6d3f6c730de1932d45bf54cb245281bc25c7

SHA512
6a29ac95f831f93f7bab3ab2bacc37f0dda7fe742414669f29864e1d991d895a8c66d986adca2bb4ab264e9fb0f4a00bab9c994071a9fb70e76b266219013abd

Download Submit
C:\Windows\KIFRYX.exe.bat

Filesize
58B

MD5
cffcaf84d96529b65f018dd1ebe30527

SHA1
a8ddc6436bcf564661d945f6290b09ce6aa428cc

SHA256
231f5644ce1bfc5c31d145074e9b6bbd619ba75b3b48eb759ff849107b907a1f

SHA512
69078f7c3f9ff9b136486928633c79fe90175667bc85e10ee6126a25345647a9ea5612a29911eeca83a9567759e256250f5545f00984c49760fc8a38bf55a6c6

Download Submit
C:\Windows\KPLZYVS.exe

Filesize
365KB

MD5
78888a457b30ffb000b145b4ae8ed84c

SHA1
515de5fdbebd5fdd8f33b96425badb61d031ff67

SHA256
040096ac92bcfff93b853fe621d534619ca865b7689294bccfecc62b8ce18c0c

SHA512
05a13e7ea031898afc5351ef368ea0fd640f5c269056b7c76ca9c9c538569943fd720953aa51a6565befaf7f69119599d834244d8caeaa2158d8f69904182a65

Download Submit
C:\Windows\KPLZYVS.exe.bat

Filesize
60B

MD5
5c2cd0f2a9460a4c9ffc8671019b5b52

SHA1
a37a412040c3fd803e90adc7ffd9f79e0e84ab43

SHA256
cadfa5e6534fc4111fee5c42d05ef93f0c0e47bb820a9cb2cc909820f194650c

SHA512
ad03b31e92ec04d3babf92366eef776d202eeed68566bdad07e6b0986c5f4a40ce33ef64f63c049788eae5dd44fc02d35330d452b39b8fe8a7f9bc6cfad37d35

Download Submit
C:\Windows\SysWOW64\PIZXQLM.exe

Filesize
365KB

MD5
e5f7addff602694b46af1c0d3728f4c6

SHA1
2aafbbd051e41fc4b361fa1d9af176ebd402bf96

SHA256
f2dcf2b78aef9e02adb7b9d7759ad4fd50f1518fa87a6b469859b0e87cb8c9fa

SHA512
a250b4a4e8da8c63d20c988a6d87489daa7900b0299982c4e17b8d4a309362fd50bd0b64a43c9a23d2aa1a75d817488d18d9c68091286890775a57d224c8b887

Download Submit
C:\Windows\SysWOW64\PIZXQLM.exe.bat

Filesize
78B

MD5
64fe2c4982254ede67ae3f137df03c50

SHA1
4942640ba2e3a68c2564160c9ff07de53fa8b72c

SHA256
b50650b750f3dd7af3738cf54e962b34ace7165f0fb80c5acc339628c187bc53

SHA512
2f3ebb20c1507341d557ac426e10dd70948d67380c39c2e0ca0e9106534a618d476a212ef6435108e5686744b5696f5e1f649db67aa80db8197fbdc7f6c5b1fe

Download Submit
C:\windows\FDAKGI.exe

Filesize
365KB

MD5
e3c594e0b6a541c47d97c1852fb23b09

SHA1
3e8e967eeaaf674685329e33310ad4fa80b6e04e

SHA256
f2fb491d2a818d233f9a989a801e52985abd8093d42bb3cfdf4c3e8d06182002

SHA512
a78fec9c0ddc6dad7cb5fed634d65b170abc232aff049666f75868b167ae7bb7874ad91f53e262d714d150e079f031b28223e6160a6a44fb40d6abd55d65bc04

Download Submit
C:\windows\FDAKGI.exe.bat

Filesize
58B

MD5
34a48bdc6677caa7a92b82eef41a9114

SHA1
3d4593911f4d730720084d48d51cac97f2fff113

SHA256
d1529308a7fd8b7e4d0f000a8a94e48176779a27458e83e976d33cb736638977

SHA512
a5c4a3bc96d2d7a9f0b99452de6ed04a239669035aff087813583e8afbfa161d5bb8b1edd1e2f6c63291bcf44b3d9077864c6913c971401dbc409ca920d88f3b

Download Submit
C:\windows\KIFRYX.exe

Filesize
365KB

MD5
ee60e8a6a8883e0300eda5175704d9b2

SHA1
06ed443836b73dcfe367648557c8268782862036

SHA256
2b68ce6b28ef46a8b1ec2ee7e1eb6d3f6c730de1932d45bf54cb245281bc25c7

SHA512
6a29ac95f831f93f7bab3ab2bacc37f0dda7fe742414669f29864e1d991d895a8c66d986adca2bb4ab264e9fb0f4a00bab9c994071a9fb70e76b266219013abd

Download Submit
C:\windows\KIFRYX.exe.bat

Filesize
58B

MD5
cffcaf84d96529b65f018dd1ebe30527

SHA1
a8ddc6436bcf564661d945f6290b09ce6aa428cc

SHA256
231f5644ce1bfc5c31d145074e9b6bbd619ba75b3b48eb759ff849107b907a1f

SHA512
69078f7c3f9ff9b136486928633c79fe90175667bc85e10ee6126a25345647a9ea5612a29911eeca83a9567759e256250f5545f00984c49760fc8a38bf55a6c6

Download Submit
C:\windows\KPLZYVS.exe

Filesize
365KB

MD5
78888a457b30ffb000b145b4ae8ed84c

SHA1
515de5fdbebd5fdd8f33b96425badb61d031ff67

SHA256
040096ac92bcfff93b853fe621d534619ca865b7689294bccfecc62b8ce18c0c

SHA512
05a13e7ea031898afc5351ef368ea0fd640f5c269056b7c76ca9c9c538569943fd720953aa51a6565befaf7f69119599d834244d8caeaa2158d8f69904182a65

Download Submit
C:\windows\KPLZYVS.exe.bat

Filesize
60B

MD5
5c2cd0f2a9460a4c9ffc8671019b5b52

SHA1
a37a412040c3fd803e90adc7ffd9f79e0e84ab43

SHA256
cadfa5e6534fc4111fee5c42d05ef93f0c0e47bb820a9cb2cc909820f194650c

SHA512
ad03b31e92ec04d3babf92366eef776d202eeed68566bdad07e6b0986c5f4a40ce33ef64f63c049788eae5dd44fc02d35330d452b39b8fe8a7f9bc6cfad37d35

Download Submit
C:\windows\SysWOW64\PIZXQLM.exe

Filesize
365KB

MD5
e5f7addff602694b46af1c0d3728f4c6

SHA1
2aafbbd051e41fc4b361fa1d9af176ebd402bf96

SHA256
f2dcf2b78aef9e02adb7b9d7759ad4fd50f1518fa87a6b469859b0e87cb8c9fa

SHA512
a250b4a4e8da8c63d20c988a6d87489daa7900b0299982c4e17b8d4a309362fd50bd0b64a43c9a23d2aa1a75d817488d18d9c68091286890775a57d224c8b887

Download Submit
C:\windows\SysWOW64\PIZXQLM.exe.bat

Filesize
78B

MD5
64fe2c4982254ede67ae3f137df03c50

SHA1
4942640ba2e3a68c2564160c9ff07de53fa8b72c

SHA256
b50650b750f3dd7af3738cf54e962b34ace7165f0fb80c5acc339628c187bc53

SHA512
2f3ebb20c1507341d557ac426e10dd70948d67380c39c2e0ca0e9106534a618d476a212ef6435108e5686744b5696f5e1f649db67aa80db8197fbdc7f6c5b1fe

Download Submit
\Windows\SysWOW64\PIZXQLM.exe

Filesize
365KB

MD5
e5f7addff602694b46af1c0d3728f4c6

SHA1
2aafbbd051e41fc4b361fa1d9af176ebd402bf96

SHA256
f2dcf2b78aef9e02adb7b9d7759ad4fd50f1518fa87a6b469859b0e87cb8c9fa

SHA512
a250b4a4e8da8c63d20c988a6d87489daa7900b0299982c4e17b8d4a309362fd50bd0b64a43c9a23d2aa1a75d817488d18d9c68091286890775a57d224c8b887

Download Submit
\Windows\SysWOW64\PIZXQLM.exe

Filesize
365KB

MD5
e5f7addff602694b46af1c0d3728f4c6

SHA1
2aafbbd051e41fc4b361fa1d9af176ebd402bf96

SHA256
f2dcf2b78aef9e02adb7b9d7759ad4fd50f1518fa87a6b469859b0e87cb8c9fa

SHA512
a250b4a4e8da8c63d20c988a6d87489daa7900b0299982c4e17b8d4a309362fd50bd0b64a43c9a23d2aa1a75d817488d18d9c68091286890775a57d224c8b887

Download Submit
memory/324-16-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/324-15-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/324-72-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1620-18-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-30-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-33-0x0000000000430000-0x0000000000477000-memory.dmp

Filesize
284KB

Download
memory/2100-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2100-35-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2140-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2140-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2468-70-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2468-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2612-50-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2696-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2696-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download