6e1786f02806e9a638dc5ef0e530922200eae76024fcbda627dad615a41cbcfd

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc04adf15e049e1a20ce8ad651da920.exe
Size

61KB
MD5

0cc04adf15e049e1a20ce8ad651da920
SHA1

7debabc2a9bb1e13e17311208eb02fd304b077e6
SHA256

6e1786f02806e9a638dc5ef0e530922200eae76024fcbda627dad615a41cbcfd
SHA512

a919882d5667a460d002a496d1cd9bc5ccc48872b9d1731247758a5a6a04c7d238f32a86cf15a3dd147aa5267001f4d5e5872b938d7394f623d4c6ccecb1c3a9
SSDEEP

1536:h2KruHrFUU8uPBgdgEUPAxjDriTm7MozSq:9uFJPud7lxjDDj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	obqrdicsrkdjlvb.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	0cc04adf15e049e1a20ce8ad651da920.exe
3028	0cc04adf15e049e1a20ce8ad651da920.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\obqrdicsrkdjlvb.exe	0cc04adf15e049e1a20ce8ad651da920.exe
File opened for modification	C:\Windows\SysWOW64\_tmp9877	0cc04adf15e049e1a20ce8ad651da920.exe
File created	C:\Windows\SysWOW64\_tmp9877	0cc04adf15e049e1a20ce8ad651da920.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	obqrdicsrkdjlvb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2692	3028	0cc04adf15e049e1a20ce8ad651da920.exe	28
PID 3028 wrote to memory of 2692	3028	0cc04adf15e049e1a20ce8ad651da920.exe	28
PID 3028 wrote to memory of 2692	3028	0cc04adf15e049e1a20ce8ad651da920.exe	28
PID 3028 wrote to memory of 2692	3028	0cc04adf15e049e1a20ce8ad651da920.exe	28

C:\Users\Admin\AppData\Local\Temp\0cc04adf15e049e1a20ce8ad651da920.exe
"C:\Users\Admin\AppData\Local\Temp\0cc04adf15e049e1a20ce8ad651da920.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\obqrdicsrkdjlvb.exe
  "C:\Windows\system32\obqrdicsrkdjlvb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\obqrdicsrkdjlvb.exe

Filesize
24KB

MD5
7117f4fe31f90617db9f4d104a2a89df

SHA1
b2bb751d196f693062a86625ba5f25941e8e24c2

SHA256
d93cf96edcf138bb9a7c61de5c63970f7c1787b677680783b49df13f4339763a

SHA512
78c065968eee8d998e8126e8163cd4770ce5c43e03c5c0ce7561c14f34bfe5abf235994da3495ee9b4817aee42137b02af286a2faad0ea4f26b5372068e9837c

Download Submit