Overview

overview

7

Static

static

3

0835d81542...4d.exe

windows7-x64

7

0835d81542...4d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0835d81542acc50b9579f99eca83a64d.exe

  • Size

    430KB

  • MD5

    0835d81542acc50b9579f99eca83a64d

  • SHA1

    fc30d49e99f4be296d0feac5ef25bd3967b8161f

  • SHA256

    ad2526deb219d4c2707553763eb672e5839b685434e2970c93bfe6551d43e18a

  • SHA512

    f6f602009ddbd2b65ac69d6a05dd47167f96076f2cfcd3c87cd0951169be483bbda1848aa719a2f23c6de708e649665c5a5b0227edd71c4c5acfc4562efa1e63

  • SSDEEP

    12288:ibee0PGl89WazvzkmMxM+ltxQMAn0Iv1b70ZSf2R:2edGBazvZMHltxtIv1bUS+R

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"
    1⤵
      PID:2736
    • C:\Users\Admin\AppData\Local\Temp\0835d81542acc50b9579f99eca83a64d.exe
      "C:\Users\Admin\AppData\Local\Temp\0835d81542acc50b9579f99eca83a64d.exe"
      1⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs
      Filesize

      653B

      MD5

      f565653bd58d3b14e359cb2b9f25f2a3

      SHA1

      467bb42be48f0fc6890e53511e7250da2bd28d3c

      SHA256

      30249448fb3f49277c0e3a57ac012b261f47aec0e16a064acbc2ab9bb7093009

      SHA512

      daf4196839ce22781a90e6eb8dff8739aa0c5dae8b9c04710f95b459ef0b6ceabd0c806a33defee7a43d589dd1fb79a75b1c8bde64bbf9c4302223a2626fd9fe

      Download Submit

    • \System32\0835d81542acc50b9579f99eca83a64d.exe
      Filesize

      430KB

      MD5

      936ac0b8ff6239fa6f9de4e9fd7a9744

      SHA1

      f559fdb5728a3d13df3fa8c75997042f6b841f4c

      SHA256

      cdb6a6b41541677b5e8a4f325d88e35c10e7fbe64abc15bfe4525b95b8d36247

      SHA512

      7bd7ccb17001862d8f19991601ecdf75684b824bb3c18f4bf063f0c25a09d48c02e8147b7307ec5a5743d6dc968d85115460bfc5dd47ff228319b3e084df5af9

      Download Submit

    • memory/1992-6-0x0000000000620000-0x0000000000630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1992-0-0x0000000000400000-0x0000000000575000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1992-13-0x0000000000400000-0x0000000000575000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1992-14-0x0000000000620000-0x0000000000630000-memory.dmp

      Filesize

      64KB

      Download