df7104bd49961e1ae6e3741221e0cb3b5a8744f945533060910a076fe1aadf66

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28-11-2023 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMP-MMO-0208.exe
Size

346KB
MD5

0d6f9bf68f8ddb1be846dfe11dafa819
SHA1

a7e4ab95599e17b43571bc21cd98e0b350dc2c59
SHA256

df7104bd49961e1ae6e3741221e0cb3b5a8744f945533060910a076fe1aadf66
SHA512

bce42022878f77a25342bad3228bf913ba69d1bad09c243f070b19abcf998f44eb37459fc969c657e5d3246923106d546bba16854055ad2180bec120dee7cadb
SSDEEP

6144:qBlL/e2xIR8lf98JrWKq/BViyyAt7lKmeiUC8zhoSSMidXI8sSVHkvD8:Q0EfirXqRgZiSS14lSBkQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2292	ymjhh.exe
2404	ymjhh.exe

Loads dropped DLL 6 IoCs

pid	Process
1072	IMP-MMO-0208.exe
1072	IMP-MMO-0208.exe
2292	ymjhh.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2404	2292	ymjhh.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	2404	WerFault.exe	29

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2292	ymjhh.exe
2292	ymjhh.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2292	1072	IMP-MMO-0208.exe	28
PID 1072 wrote to memory of 2292	1072	IMP-MMO-0208.exe	28
PID 1072 wrote to memory of 2292	1072	IMP-MMO-0208.exe	28
PID 1072 wrote to memory of 2292	1072	IMP-MMO-0208.exe	28
PID 2292 wrote to memory of 2404	2292	ymjhh.exe	29
PID 2292 wrote to memory of 2404	2292	ymjhh.exe	29
PID 2292 wrote to memory of 2404	2292	ymjhh.exe	29
PID 2292 wrote to memory of 2404	2292	ymjhh.exe	29
PID 2292 wrote to memory of 2404	2292	ymjhh.exe	29
PID 2404 wrote to memory of 2672	2404	ymjhh.exe	30
PID 2404 wrote to memory of 2672	2404	ymjhh.exe	30
PID 2404 wrote to memory of 2672	2404	ymjhh.exe	30
PID 2404 wrote to memory of 2672	2404	ymjhh.exe	30

C:\Users\Admin\AppData\Local\Temp\IMP-MMO-0208.exe
"C:\Users\Admin\AppData\Local\Temp\IMP-MMO-0208.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\ymjhh.exe
  "C:\Users\Admin\AppData\Local\Temp\ymjhh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\ymjhh.exe
    "C:\Users\Admin\AppData\Local\Temp\ymjhh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yequkx.g

Filesize
231KB

MD5
9ad02f7fd59d92d047d76946cfcbe49a

SHA1
8f5a1a99438068f5cd1fdd11a86686cac4a2ff2d

SHA256
fdc4cbc5198c6a135353dcfb42581d94a668a8ab55174c1a1771128e88a2f740

SHA512
a29e1d30bec7592868de9138a24c1626fa0a322f335d330f0d7c6300f9c5ec66dc2b6a54084995ef7e73980db5b6fe7cfd1e7c53bdd8497b71a9a384f4a478b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
memory/2292-9-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/2404-13-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download