94e024435cc8cafb2705bf98e9551feaa5d2ab426fcbcef9efde59fe9ccb9e53

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 06:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9865456789TH.exe
Size

598KB
MD5

958cb95438ce3e87d4589459ad9f1dc1
SHA1

428567998143c6a0fd8cce178335fef7c26078a4
SHA256

94e024435cc8cafb2705bf98e9551feaa5d2ab426fcbcef9efde59fe9ccb9e53
SHA512

54596923d98f5708165e37b1f0e4ccecb5d89cb1a9b2b985fdc9176bb010bf790c9426ed7844793246852d4bec3324a86e3d87d81508e40c60e505fc942148e8
SSDEEP

12288:wY7Y+3xUeQyX7sfNSjTZZmel48MCaHg82TfsDKC7wYgJctv:wY7YWzwfNy8el4XA8SC7wYFN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1460	vlfaghzaa.exe
2304	vlfaghzaa.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	9865456789TH.exe
1460	vlfaghzaa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2304	1460	vlfaghzaa.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1460	vlfaghzaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	vlfaghzaa.exe
2304	vlfaghzaa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1460	1728	9865456789TH.exe	28
PID 1728 wrote to memory of 1460	1728	9865456789TH.exe	28
PID 1728 wrote to memory of 1460	1728	9865456789TH.exe	28
PID 1728 wrote to memory of 1460	1728	9865456789TH.exe	28
PID 1460 wrote to memory of 2304	1460	vlfaghzaa.exe	29
PID 1460 wrote to memory of 2304	1460	vlfaghzaa.exe	29
PID 1460 wrote to memory of 2304	1460	vlfaghzaa.exe	29
PID 1460 wrote to memory of 2304	1460	vlfaghzaa.exe	29
PID 1460 wrote to memory of 2304	1460	vlfaghzaa.exe	29

C:\Users\Admin\AppData\Local\Temp\9865456789TH.exe
"C:\Users\Admin\AppData\Local\Temp\9865456789TH.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe
  "C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe
    "C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbqxwhbe.gzs

Filesize
682KB

MD5
69e1e1238920c650b5398afb5af3e844

SHA1
04d2165532b4b37ff897317a90b31c0833be35b7

SHA256
f97a2c8e33f2da28a02e1c2349716f8dea91edee3fcd16b4f9b2cda12d588cf4

SHA512
5df43fef3ef85125d036ff219fa02f6d97382c92260c9062783b67ba6c98f49a8afb7bb026d55cecbc9d9b93a3a255c35bf297d43ee58b27e004a10bebcfdd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe

Filesize
165KB

MD5
f32db1d909e9cf2c692f6586af892b6e

SHA1
9aa3f0f3acc59deea13f50f1d356f2db1d3dc079

SHA256
f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9

SHA512
31cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe

Filesize
165KB

MD5
f32db1d909e9cf2c692f6586af892b6e

SHA1
9aa3f0f3acc59deea13f50f1d356f2db1d3dc079

SHA256
f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9

SHA512
31cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe

Filesize
165KB

MD5
f32db1d909e9cf2c692f6586af892b6e

SHA1
9aa3f0f3acc59deea13f50f1d356f2db1d3dc079

SHA256
f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9

SHA512
31cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162

Download Submit
\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe

Filesize
165KB

MD5
f32db1d909e9cf2c692f6586af892b6e

SHA1
9aa3f0f3acc59deea13f50f1d356f2db1d3dc079

SHA256
f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9

SHA512
31cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162

Download Submit
\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe

Filesize
165KB

MD5
f32db1d909e9cf2c692f6586af892b6e

SHA1
9aa3f0f3acc59deea13f50f1d356f2db1d3dc079

SHA256
f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9

SHA512
31cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162

Download Submit
memory/1460-6-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2304-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download