Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/12/2023, 16:43
Behavioral task
behavioral1
Sample
ebae09af0151622f220b7ee8064888d3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ebae09af0151622f220b7ee8064888d3.exe
Resource
win10v2004-20231215-en
General
-
Target
ebae09af0151622f220b7ee8064888d3.exe
-
Size
1.7MB
-
MD5
ebae09af0151622f220b7ee8064888d3
-
SHA1
6389eee71107af709c1ebb9da83c56f6b85497d6
-
SHA256
84d08bdfdf8412eb1991c35edc00539d55634d9f994af7bb8830deb103da64a9
-
SHA512
301132361cc323a4191888ab19ead3a1795aedb5ee46af9c205fdab69dfbeb3abbe4d6578ce263005bf2ee69e932ece8eb067d24450ed30c4ccfbb0a17b83061
-
SSDEEP
49152:fU6BpvNqcepKVqbwXahdZAD0LcQp/f2RxIfr5:c6neKV0jX2Xa5
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1900 y6j0nqP.exe 1392 Explorer.EXE -
Loads dropped DLL 2 IoCs
pid Process 1104 ebae09af0151622f220b7ee8064888d3.exe 1900 y6j0nqP.exe -
resource yara_rule behavioral1/memory/1104-0-0x0000000000960000-0x0000000000CC7000-memory.dmp vmprotect behavioral1/memory/1104-9-0x0000000000960000-0x0000000000CC7000-memory.dmp vmprotect behavioral1/files/0x0007000000016c74-18.dat vmprotect behavioral1/memory/1900-23-0x000000013F620000-0x000000013F69A000-memory.dmp vmprotect behavioral1/memory/1900-24-0x000000013F620000-0x000000013F69A000-memory.dmp vmprotect behavioral1/memory/1900-35-0x000000013F620000-0x000000013F69A000-memory.dmp vmprotect behavioral1/memory/1104-36-0x0000000000960000-0x0000000000CC7000-memory.dmp vmprotect -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ebae09af0151622f220b7ee8064888d3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ebae09af0151622f220b7ee8064888d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Explorer.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Explorer.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\lz_scby.txt ebae09af0151622f220b7ee8064888d3.exe File created \??\c:\windows\SysWOW64\lz_scby.txt ebae09af0151622f220b7ee8064888d3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1104 ebae09af0151622f220b7ee8064888d3.exe 1900 y6j0nqP.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\SCBYDL\qY1kvol.dll ebae09af0151622f220b7ee8064888d3.exe File created C:\Windows\SCBYDL\y6j0nqP.exe ebae09af0151622f220b7ee8064888d3.exe File opened for modification C:\Windows\r0kdt\ Explorer.EXE File opened for modification C:\Windows\SCBYDL\ ebae09af0151622f220b7ee8064888d3.exe File created C:\Windows\SCBYDL\25badd61d366786808b6eebb3279cb77 ebae09af0151622f220b7ee8064888d3.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1104 ebae09af0151622f220b7ee8064888d3.exe 1104 ebae09af0151622f220b7ee8064888d3.exe 1104 ebae09af0151622f220b7ee8064888d3.exe 1104 ebae09af0151622f220b7ee8064888d3.exe 1104 ebae09af0151622f220b7ee8064888d3.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1900 y6j0nqP.exe Token: 33 1392 Explorer.EXE Token: SeIncBasePriorityPrivilege 1392 Explorer.EXE Token: 33 1392 Explorer.EXE Token: SeIncBasePriorityPrivilege 1392 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1392 Explorer.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1900 1104 ebae09af0151622f220b7ee8064888d3.exe 28 PID 1104 wrote to memory of 1900 1104 ebae09af0151622f220b7ee8064888d3.exe 28 PID 1104 wrote to memory of 1900 1104 ebae09af0151622f220b7ee8064888d3.exe 28 PID 1104 wrote to memory of 1900 1104 ebae09af0151622f220b7ee8064888d3.exe 28 PID 1900 wrote to memory of 1392 1900 y6j0nqP.exe 11
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\ebae09af0151622f220b7ee8064888d3.exe"C:\Users\Admin\AppData\Local\Temp\ebae09af0151622f220b7ee8064888d3.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SCBYDL\y6j0nqP.exeC:/Windows/SCBYDL/y6j0nqP.exe /runp2p:C:/Windows/SCBYDL/qY1kvol.dll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5bceb1ecffcd443b74373ab8246c967fe
SHA16948c163e51917c9554dfbcd72452519aac30699
SHA256b876b09556182b70742295de334e31d5007326259942b53d87139ef3bd05465f
SHA512f6d7838df083d43ad0c3c94fe361389fa5adfe91c01caa4ed68196482474c8fc410e4ff4d49bbea2e29d4a3b8bfefbb854ec45b47b1a3043f3ffb6400b02cd41
-
Filesize
369KB
MD5f4d4634139afe2087f0ba70cf32f74cc
SHA1e88254f950a79faddf0c544eb0a5213c4ea50c9f
SHA256b76df6b289e782ad1a2809ebcb9ed168a1c19716a9bf5e3c13cae6a6060b7c7f
SHA51214fd67765eb9ee78fd7adf22fe38d72206ebc4624ca15e91a49151db3e62d0526cb2a24d656c9892d09d363efe0918177e806e69712ac4fe7d07953c2a0c6265
-
Filesize
240KB
MD5ccbea67ee342fde7b1de67fb61893c2c
SHA15d7d97f6984777c98df8641318c358eb2900c3f5
SHA256e1f01d5c7a8f79d23c2d1712550f023ff6aae46bdf71706207c12bdc3fe2b43a
SHA512dfaf7eec7be52129e219ee4198e7cf4ec7df26cb16f6475a376c87bc675a1e8c24dfa96aa627a040438f2dbfba44dea68128fc9608c18f13bfc61dfe4e149168