94e5783ba9e9391c76bdd9cfc5a1fc9f10b7a37b5c069fd080e882bbccbb5d41

Analysis

max time kernel
153s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e602bc567cb1acf6a5386a583cd2bad0_exe32.exe
Size

666KB
MD5

e602bc567cb1acf6a5386a583cd2bad0
SHA1

9dd4788ab7f8ec5f510181a52a37c328f1aef531
SHA256

94e5783ba9e9391c76bdd9cfc5a1fc9f10b7a37b5c069fd080e882bbccbb5d41
SHA512

6a168f14817d1f969afb305ce8f4a189c948a3c568a0af395eb9db6b1227390c2e02df11eb3b87537d0a2eb6e966b96e30046af8861f4dde639d7f1f97b64665
SSDEEP

12288:8+P0zj7rHErYXG2zp4MIO98soIWm3kCCSi6chICHzG+xPM/L/IQCtCLfDG2YI8f:Ior0G2N4zOKsoIbBSRzfZoL/I5CLbHYv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2096	EXEA3BE.tmp

Loads dropped DLL 2 IoCs

pid	Process
2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe
2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2096	EXEA3BE.tmp
2096	EXEA3BE.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2096	2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe	28
PID 2824 wrote to memory of 2096	2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe	28
PID 2824 wrote to memory of 2096	2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe	28
PID 2824 wrote to memory of 2096	2824	e602bc567cb1acf6a5386a583cd2bad0_exe32.exe	28
PID 2096 wrote to memory of 2664	2096	EXEA3BE.tmp	29
PID 2096 wrote to memory of 2664	2096	EXEA3BE.tmp	29
PID 2096 wrote to memory of 2664	2096	EXEA3BE.tmp	29
PID 2096 wrote to memory of 2664	2096	EXEA3BE.tmp	29

C:\Users\Admin\AppData\Local\Temp\e602bc567cb1acf6a5386a583cd2bad0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\e602bc567cb1acf6a5386a583cd2bad0_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp" "C:\Users\Admin\AppData\Local\Temp\OFMA3CF.tmp" "C:\Users\Admin\AppData\Local\Temp\e602bc567cb1acf6a5386a583cd2bad0_exe32.exe" http://www.eomniform.com/OF5/nsplugins/OFMailX.cab http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp

Filesize
1.3MB

MD5
004c10b07231db3fdeec1188c3dea3fa

SHA1
a7af5dcf391d95b3bd186186630b832922f133cd

SHA256
65cc7c7f285b258a2be62aca2cb3fa54de77912af0ab63ad35d4113cca58bf0b

SHA512
528c7dbab0c441f9bab99d4078f47ffeec590fedd587ebee515723fa97f35b07d1961f0ba4a4cb6840b858c26ab5730f1e11b21b6138950926fdc4b32f5e0f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp

Filesize
1.3MB

MD5
004c10b07231db3fdeec1188c3dea3fa

SHA1
a7af5dcf391d95b3bd186186630b832922f133cd

SHA256
65cc7c7f285b258a2be62aca2cb3fa54de77912af0ab63ad35d4113cca58bf0b

SHA512
528c7dbab0c441f9bab99d4078f47ffeec590fedd587ebee515723fa97f35b07d1961f0ba4a4cb6840b858c26ab5730f1e11b21b6138950926fdc4b32f5e0f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFMA3CF.tmp

Filesize
240KB

MD5
62770bfb88626080b17adb099712a379

SHA1
9d9659dc80878ffef2ee70205b9b6a74d869affe

SHA256
12c8e83752185948b6b53647729241286e47c9ea18d72faf794a6701ccb50770

SHA512
68358ffd178f1dac843a466e277524924a888b92b6dada423f423c740bf51ad0fd1c8f1ba7cf44c706966d6034b3ccb9b2fec68b06a657acc7afde74f137e047

Download Submit
\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp

Filesize
1.3MB

MD5
004c10b07231db3fdeec1188c3dea3fa

SHA1
a7af5dcf391d95b3bd186186630b832922f133cd

SHA256
65cc7c7f285b258a2be62aca2cb3fa54de77912af0ab63ad35d4113cca58bf0b

SHA512
528c7dbab0c441f9bab99d4078f47ffeec590fedd587ebee515723fa97f35b07d1961f0ba4a4cb6840b858c26ab5730f1e11b21b6138950926fdc4b32f5e0f62

Download Submit
\Users\Admin\AppData\Local\Temp\EXEA3BE.tmp

Filesize
1.3MB

MD5
004c10b07231db3fdeec1188c3dea3fa

SHA1
a7af5dcf391d95b3bd186186630b832922f133cd

SHA256
65cc7c7f285b258a2be62aca2cb3fa54de77912af0ab63ad35d4113cca58bf0b

SHA512
528c7dbab0c441f9bab99d4078f47ffeec590fedd587ebee515723fa97f35b07d1961f0ba4a4cb6840b858c26ab5730f1e11b21b6138950926fdc4b32f5e0f62

Download Submit