fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac

Analysis

max time kernel
120s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
Size

3.3MB
MD5

51c2df4c151377008a867e9936101485
SHA1

6ce54dacd601acf26930864baed50cbe76504037
SHA256

fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac
SHA512

9f576d81e66f11db5a7e84a52016ee0fd96c8ccba088a586ffec8dd8788be4e8655df994aa0690297aa41b74237a57ee3f412630199de1dca964fee0d5302f70
SSDEEP

98304:N2HKwycIFgnZkcOyqxcQDFUg5CBgwjYNTtnpO:nFgEDcfg5CBgbNT/O

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2304	rs1.exe
1884	FTvrst.exe
1496	audidog.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	rs1.exe
2304	rs1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2304	rs1.exe
2304	rs1.exe
2304	rs1.exe
2304	rs1.exe
2304	rs1.exe
2304	rs1.exe
2304	rs1.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\WINDOWS\DNomb\Mpec.mbt	rs1.exe
File created	C:\WINDOWS\DNomb\spolsvt.exe	rs1.exe
File created	C:\WINDOWS\DNomb\FTvrst.exe	rs1.exe
File opened for modification	C:\WINDOWS\DNomb\FTvrst.exe	rs1.exe
File created	C:\WINDOWS\DNomb\audidog.exe	rs1.exe
File created	C:\Windows\DNomb\Mpec.mbt	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
File created	C:\WINDOWS\Djltp.txt	rs1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
2304	rs1.exe
2304	rs1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2040	2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe	32
PID 2816 wrote to memory of 2040	2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe	32
PID 2816 wrote to memory of 2040	2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe	32
PID 2816 wrote to memory of 2040	2816	fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe	32
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1884	2304	rs1.exe	36
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37
PID 2304 wrote to memory of 1496	2304	rs1.exe	37

C:\Users\Admin\AppData\Local\Temp\fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
"C:\Users\Admin\AppData\Local\Temp\fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del fa0943feb5cc47c89fbbf1a30ba8f196610c6f562741cde6b8b9f0a19f8c74ac.exe
  2⤵
  - Deletes itself
  PID:2040

C:\Users\Public\Documents\123\rs1.exe
"C:\Users\Public\Documents\123\rs1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\WINDOWS\DNomb\FTvrst.exe
  C:\WINDOWS\DNomb\FTvrst.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\WINDOWS\DNomb\audidog.exe
  C:\WINDOWS\DNomb\audidog.exe
  2⤵
  - Executes dropped EXE
  PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\rs1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Public\Documents\123\rs1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
memory/1496-9140-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1884-8710-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1884-9462-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2304-851-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-861-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-823-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-825-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-827-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-829-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-831-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-833-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-835-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-837-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-839-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-841-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-843-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-845-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-847-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-849-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-819-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-853-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-855-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-857-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-859-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-821-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-863-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-865-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-867-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-869-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-871-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-873-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-875-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-877-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-1072-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2304-2553-0x00000000026E0000-0x0000000002861000-memory.dmp

Filesize
1.5MB

Download
memory/2304-8696-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2304-8698-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-8700-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2304-816-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-817-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/2304-8709-0x00000000041E0000-0x0000000004A44000-memory.dmp

Filesize
8.4MB

Download
memory/2304-9134-0x00000000041E0000-0x0000000004A44000-memory.dmp

Filesize
8.4MB

Download
memory/2304-6-0x00000000754B0000-0x00000000754F7000-memory.dmp

Filesize
284KB

Download
memory/2304-9181-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2304-4-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download