eb69742654de8079a24a8d1ebf1973b50849dbf5d21f8e9d920a1cec4138c2ee

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f862158c1fb0f47d50a021d61705c10_exe32.exe
Size

208KB
MD5

3f862158c1fb0f47d50a021d61705c10
SHA1

eca7a0878646529292211d1e9e02d6911c78648c
SHA256

eb69742654de8079a24a8d1ebf1973b50849dbf5d21f8e9d920a1cec4138c2ee
SHA512

6e6f1e75892b1d660389658c09cbf0cafe01740817ced5f414d09993acbc59f25125052e606c506ce230eb1f48808ba9d64fae11fa5ffa50dc4415d2f51a2436
SSDEEP

3072:BzawjZllLtly7pYahUF15ar/i9XEN0y60xVQCGqWAW35I0Dmcur/Dni/14NLthEB:sKZlAFYaqFLa2NENc0xVQS25/EnIQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2684	NOXZFEZ.exe
2440	QJASZJH.exe

Loads dropped DLL 4 IoCs

pid	Process
2652	cmd.exe
2652	cmd.exe
2188	cmd.exe
2188	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\windows\system\NOXZFEZ.exe	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File opened for modification	C:\windows\system\NOXZFEZ.exe	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File created	C:\windows\system\NOXZFEZ.exe.bat	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File created	C:\windows\system\QJASZJH.exe	NOXZFEZ.exe
File opened for modification	C:\windows\system\QJASZJH.exe	NOXZFEZ.exe
File created	C:\windows\system\QJASZJH.exe.bat	NOXZFEZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe
2684	NOXZFEZ.exe
2440	QJASZJH.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe
2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe
2684	NOXZFEZ.exe
2684	NOXZFEZ.exe
2440	QJASZJH.exe
2440	QJASZJH.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2652	2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe	28
PID 2216 wrote to memory of 2652	2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe	28
PID 2216 wrote to memory of 2652	2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe	28
PID 2216 wrote to memory of 2652	2216	3f862158c1fb0f47d50a021d61705c10_exe32.exe	28
PID 2652 wrote to memory of 2684	2652	cmd.exe	30
PID 2652 wrote to memory of 2684	2652	cmd.exe	30
PID 2652 wrote to memory of 2684	2652	cmd.exe	30
PID 2652 wrote to memory of 2684	2652	cmd.exe	30
PID 2684 wrote to memory of 2188	2684	NOXZFEZ.exe	32
PID 2684 wrote to memory of 2188	2684	NOXZFEZ.exe	32
PID 2684 wrote to memory of 2188	2684	NOXZFEZ.exe	32
PID 2684 wrote to memory of 2188	2684	NOXZFEZ.exe	32
PID 2188 wrote to memory of 2440	2188	cmd.exe	33
PID 2188 wrote to memory of 2440	2188	cmd.exe	33
PID 2188 wrote to memory of 2440	2188	cmd.exe	33
PID 2188 wrote to memory of 2440	2188	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3f862158c1fb0f47d50a021d61705c10_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\3f862158c1fb0f47d50a021d61705c10_exe32.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\NOXZFEZ.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\windows\system\NOXZFEZ.exe
    C:\windows\system\NOXZFEZ.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system\QJASZJH.exe.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\windows\system\QJASZJH.exe
        
        C:\windows\system\QJASZJH.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\NOXZFEZ.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
C:\Windows\system\NOXZFEZ.exe.bat

Filesize
74B

MD5
e933476a77967308b7e86936d5708a89

SHA1
9e67ddbcff869518b54c9f6d8c8c5d7cbcc430af

SHA256
aeb7ff7608bea3337fb3ade6de6290ff9933e4ef752b8ce75a5f4c2c04d7d7c2

SHA512
f7cfaef016c0f265ad375b21db5a2fdc3622329a2516d31cabf47ed8a2c1817b6c29e8db6bcbcbe26b4ed16ecd5b13210a179e83d3dc01305b3a91a9a2abe5a5

Download Submit
C:\Windows\system\QJASZJH.exe

Filesize
208KB

MD5
60aaca1d15b294f4ba36264f40bfddc1

SHA1
8c72257b627d319fec6e214b75f99377e07108c2

SHA256
1d3cb679a8897b8fd4bf7b94bccc8992381a35a1efc94d27a659f94c30bbdafe

SHA512
afcacdd806deb8ae5293c742840793ff39e594a9739bf33bb31c43bf14e840bdc6cc3da4703e42703d0829ca4a80e18ae4a48f09be0c235eee3a8b10556a2084

Download Submit
C:\Windows\system\QJASZJH.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
C:\Windows\system\QJASZJH.exe.bat

Filesize
74B

MD5
e04957905f102601646265ac49158967

SHA1
aa27c84e932092e528982c8b6756cf2137b885ad

SHA256
8a3893c0a9ed841e40bc24a970aec68713639d4f097f67fe59198d1e8b174224

SHA512
7d3856fac221cc79cb870172c940f769265a3788bbc3b2d7f4079adb07d29479876c7d11044089c99dc8c7f03de9cf5cb77164585f6c05a84b6fa0c0cd9d2068

Download Submit
C:\windows\system\NOXZFEZ.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
C:\windows\system\NOXZFEZ.exe.bat

Filesize
74B

MD5
e933476a77967308b7e86936d5708a89

SHA1
9e67ddbcff869518b54c9f6d8c8c5d7cbcc430af

SHA256
aeb7ff7608bea3337fb3ade6de6290ff9933e4ef752b8ce75a5f4c2c04d7d7c2

SHA512
f7cfaef016c0f265ad375b21db5a2fdc3622329a2516d31cabf47ed8a2c1817b6c29e8db6bcbcbe26b4ed16ecd5b13210a179e83d3dc01305b3a91a9a2abe5a5

Download Submit
C:\windows\system\QJASZJH.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
C:\windows\system\QJASZJH.exe.bat

Filesize
74B

MD5
e04957905f102601646265ac49158967

SHA1
aa27c84e932092e528982c8b6756cf2137b885ad

SHA256
8a3893c0a9ed841e40bc24a970aec68713639d4f097f67fe59198d1e8b174224

SHA512
7d3856fac221cc79cb870172c940f769265a3788bbc3b2d7f4079adb07d29479876c7d11044089c99dc8c7f03de9cf5cb77164585f6c05a84b6fa0c0cd9d2068

Download Submit
\Windows\system\NOXZFEZ.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
\Windows\system\NOXZFEZ.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
\Windows\system\QJASZJH.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
\Windows\system\QJASZJH.exe

Filesize
208KB

MD5
59f484381f5b7ea0616cb6e197f9221b

SHA1
d67c28d5e9ea18f07fe88243c55f287ddf10410c

SHA256
6c6fa272184488754c591c99a2e7cd3bd1b41d305651fd6c45361d4374d38e89

SHA512
ce518f42564a6c6bffe0335dfafb91e04a80816b4c6b1b6cd09291d585b0e5d63e824b11a10ce6f8b6d38c263c9121debae7ca08c153c542b05b8b6a76bb8f17

Download Submit
memory/2188-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2216-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2216-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2440-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2652-17-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2652-40-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2684-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download