00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe
Size

6.5MB
MD5

c735e202d75eb7bbaf649794ac62ab66
SHA1

799f9ffcd43b507d153f2c54c7c735c38dcdeedd
SHA256

00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c
SHA512

f16e3eb2338febfc3e0aad96a3599996b82fe567cdca6f578c8aabd3c49bcd3efe552ad6e80fc4bd0a1b83af05fce12f272fb334173bd58bec8bb3ee0d0f2505
SSDEEP

49152:/dS4zqmy1NZOuPjoNc3/iq1bT07exppb49ZBasl61lGlaVHCq1FaIpxjmPtqqz/f:Uv1A7etxWP0H6IpGq+5S1x1uhTCwqeoi

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1468	A65ViH6x.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001a000000016466-6.dat	upx
behavioral1/memory/1468-7-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1468-25-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1468-27-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1468-30-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1468-47-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe
1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe
1468	A65ViH6x.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1468	A65ViH6x.exe
1468	A65ViH6x.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1704 wrote to memory of 1468	1704	00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe	28
PID 1468 wrote to memory of 2736	1468	A65ViH6x.exe	31
PID 1468 wrote to memory of 2736	1468	A65ViH6x.exe	31
PID 1468 wrote to memory of 2736	1468	A65ViH6x.exe	31
PID 1468 wrote to memory of 2736	1468	A65ViH6x.exe	31
PID 1468 wrote to memory of 2548	1468	A65ViH6x.exe	33
PID 1468 wrote to memory of 2548	1468	A65ViH6x.exe	33
PID 1468 wrote to memory of 2548	1468	A65ViH6x.exe	33
PID 1468 wrote to memory of 2548	1468	A65ViH6x.exe	33
PID 1468 wrote to memory of 1384	1468	A65ViH6x.exe	35
PID 1468 wrote to memory of 1384	1468	A65ViH6x.exe	35
PID 1468 wrote to memory of 1384	1468	A65ViH6x.exe	35
PID 1468 wrote to memory of 1384	1468	A65ViH6x.exe	35
PID 1468 wrote to memory of 1908	1468	A65ViH6x.exe	37
PID 1468 wrote to memory of 1908	1468	A65ViH6x.exe	37
PID 1468 wrote to memory of 1908	1468	A65ViH6x.exe	37
PID 1468 wrote to memory of 1908	1468	A65ViH6x.exe	37

C:\Users\Admin\AppData\Local\Temp\00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe
"C:\Users\Admin\AppData\Local\Temp\00db6ac8bbf4ee862a95a20b903ae4b9e5ca06262b918912c439d3f6b969844c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Public\Downloads\q4y9tCZo\A65ViH6x.exe
  "C:\Users\Public\Downloads\q4y9tCZo\A65ViH6x.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\q4y9tCZo\A65ViH6x.dat

Filesize
132KB

MD5
fcad77610004a4889991b27fb7c891f7

SHA1
446c52fa1576a0f6d083a3b59b1e54cd2f157b0b

SHA256
08122afdb1f36fb1c1bb72d654e2e973c91cd06d32c84306a08a16d482cdf6cb

SHA512
cbd0b72d4807e50c147b7143f2bb0e6613c11be7f6138172881d5b3da006be7ac9f60755996dba8b2c459f3e4286bf139019216b804a09836822cfce47bd384f

Download Submit
C:\Users\Public\Downloads\q4y9tCZo\A65ViH6x.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Downloads\q4y9tCZo\Edge.jpg

Filesize
358KB

MD5
7c7cc96a1e0734672600074f8e7630f8

SHA1
a9f0740611ee1313dd268741e58787389ef22b1b

SHA256
4cd0da5b238335eb0264dccad6ab07ae853e9ae24c2b56ddcbf1f8b7b92678dd

SHA512
032bbf21a258348efdcedfde7a34a6fa8fa5b8e907605f5e75a2661123ccc8d969aad9b228028a9053ef1a6310affec46d337c13b52966a5537376d93acee6bf

Download Submit
C:\Users\Public\Downloads\q4y9tCZo\edge.xml

Filesize
53KB

MD5
c01854d7e6be8474cfccbfb8ecf81d0b

SHA1
d5fb64c8e4e7c6bb1b5322ddd67e43974b20cf06

SHA256
a31251575a2dcb37ab41d4cb0fa5704c60c66b784cacf101ddb07252044b3746

SHA512
fcf768c89c8747e6a6a69f2ff99ae588b3662157f83039ce1209263878b63abf2dcf6f43dad72ec688f25332c87a1b09acb47d6e2ea5c62ce76592b942be2f9f

Download Submit
memory/1468-27-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1468-30-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1468-32-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1468-25-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1468-34-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1468-7-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1468-37-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/1468-47-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download