b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 20:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe
Size

1.3MB
MD5

3b066ed8d386182ab068ead6eeb3f56f
SHA1

3be081054832612234ac15aa4693628de481511d
SHA256

b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c
SHA512

cbec0e603cae1fdad04afc255a68ba33881d8f90bcc46e8fc5990dcc48cf47eabe05a5fa5cd45d259b038b1ec18e9ae1d4e679cda1226f9485a9a98fb46b1c6e
SSDEEP

24576:UpwVrXW1/BToUFzFx3QP6ADGaWl2fpIUAFuVTp44O5DXqS5OWCSfMqMhl:UWwLTomkCrwfpORhXqS5OeUqM

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe
2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe
2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe
2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2044	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	29
PID 2604 wrote to memory of 2044	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	29
PID 2604 wrote to memory of 2044	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	29
PID 2604 wrote to memory of 2468	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	30
PID 2604 wrote to memory of 2468	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	30
PID 2604 wrote to memory of 2468	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	30
PID 2604 wrote to memory of 2660	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	31
PID 2604 wrote to memory of 2660	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	31
PID 2604 wrote to memory of 2660	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	31
PID 2604 wrote to memory of 2648	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	32
PID 2604 wrote to memory of 2648	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	32
PID 2604 wrote to memory of 2648	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	32
PID 2604 wrote to memory of 2708	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	33
PID 2604 wrote to memory of 2708	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	33
PID 2604 wrote to memory of 2708	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	33
PID 2604 wrote to memory of 2724	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	34
PID 2604 wrote to memory of 2724	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	34
PID 2604 wrote to memory of 2724	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	34
PID 2604 wrote to memory of 2740	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	35
PID 2604 wrote to memory of 2740	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	35
PID 2604 wrote to memory of 2740	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	35
PID 2604 wrote to memory of 2744	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	36
PID 2604 wrote to memory of 2744	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	36
PID 2604 wrote to memory of 2744	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	36
PID 2604 wrote to memory of 2672	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	37
PID 2604 wrote to memory of 2672	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	37
PID 2604 wrote to memory of 2672	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	37
PID 2604 wrote to memory of 2956	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	38
PID 2604 wrote to memory of 2956	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	38
PID 2604 wrote to memory of 2956	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	38
PID 2604 wrote to memory of 2644	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	39
PID 2604 wrote to memory of 2644	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	39
PID 2604 wrote to memory of 2644	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	39
PID 2604 wrote to memory of 2652	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	40
PID 2604 wrote to memory of 2652	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	40
PID 2604 wrote to memory of 2652	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	40
PID 2604 wrote to memory of 1704	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	41
PID 2604 wrote to memory of 1704	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	41
PID 2604 wrote to memory of 1704	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	41
PID 2604 wrote to memory of 2636	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	42
PID 2604 wrote to memory of 2636	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	42
PID 2604 wrote to memory of 2636	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	42
PID 2604 wrote to memory of 2832	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	43
PID 2604 wrote to memory of 2832	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	43
PID 2604 wrote to memory of 2832	2604	b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe	43
PID 2832 wrote to memory of 2460	2832	cmd.exe	44
PID 2832 wrote to memory of 2460	2832	cmd.exe	44
PID 2832 wrote to memory of 2460	2832	cmd.exe	44
PID 2832 wrote to memory of 2820	2832	cmd.exe	45
PID 2832 wrote to memory of 2820	2832	cmd.exe	45
PID 2832 wrote to memory of 2820	2832	cmd.exe	45
PID 2832 wrote to memory of 2544	2832	cmd.exe	46
PID 2832 wrote to memory of 2544	2832	cmd.exe	46
PID 2832 wrote to memory of 2544	2832	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe
"C:\Users\Admin\AppData\Local\Temp\b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 5
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\b9584aa08f0dda8101e6b2c679d112d5102d44c80d8aa910c29cbf20df3ea11c.exe" MD5
    3⤵
    PID:2460
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2820
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-0-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2604-1-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2604-2-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2604-4-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2604-5-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2604-6-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download