79e94a3dd1b5181c06285d98607af16f3348ad87b09cae353f1e72dd440ef2eb

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c652eeed320fb8e75400665ff029317.exe
Size

244KB
MD5

1c652eeed320fb8e75400665ff029317
SHA1

fde375c8160c88f4f1bd7fa941ca0ec0da924579
SHA256

79e94a3dd1b5181c06285d98607af16f3348ad87b09cae353f1e72dd440ef2eb
SHA512

da2af94f58c8031c7d8dbe46bde4419005988cf0353b05c44519b06688c01e6b72205be7e6356987ba00953b565a7a76c49bb7e9090cd2cc1947a9767f7d86a7
SSDEEP

3072:JzcT1qnOfXiNwvu9j0g2bwRWCMWTS9Jr3xg/XeT2v/a3/E7NoMrOjFb3AQeF:JAoOfyNwK0g2M8EoJrBSua/aNQR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	svchost.exe

Loads dropped DLL 11 IoCs

pid	Process
320	regsvr32.exe
2324	regsvr32.exe
2800	regsvr32.exe
1736	1c652eeed320fb8e75400665ff029317.exe
1736	1c652eeed320fb8e75400665ff029317.exe
2828	regsvr32.exe
2852	regsvr32.exe
2812	regsvr32.exe
2984	regsvr32.exe
2884	regsvr32.exe
2620	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vbzip11.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\vbzip11.dll	1c652eeed320fb8e75400665ff029317.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	1c652eeed320fb8e75400665ff029317.exe
2432	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 320	1736	1c652eeed320fb8e75400665ff029317.exe	26
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2324	1736	1c652eeed320fb8e75400665ff029317.exe	25
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2800	1736	1c652eeed320fb8e75400665ff029317.exe	24
PID 1736 wrote to memory of 2432	1736	1c652eeed320fb8e75400665ff029317.exe	23
PID 1736 wrote to memory of 2432	1736	1c652eeed320fb8e75400665ff029317.exe	23
PID 1736 wrote to memory of 2432	1736	1c652eeed320fb8e75400665ff029317.exe	23
PID 1736 wrote to memory of 2432	1736	1c652eeed320fb8e75400665ff029317.exe	23
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2828	2432	svchost.exe	22
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2852	2432	svchost.exe	21
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2812	2432	svchost.exe	20
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2984	2432	svchost.exe	19
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2884	2432	svchost.exe	17
PID 2432 wrote to memory of 2620	2432	svchost.exe	18
PID 2432 wrote to memory of 2620	2432	svchost.exe	18
PID 2432 wrote to memory of 2620	2432	svchost.exe	18
PID 2432 wrote to memory of 2620	2432	svchost.exe	18

C:\Users\Admin\AppData\Local\Temp\1c652eeed320fb8e75400665ff029317.exe
"C:\Users\Admin\AppData\Local\Temp\1c652eeed320fb8e75400665ff029317.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
  2⤵
  - Loads dropped DLL
  PID:2800
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
  2⤵
  - Loads dropped DLL
  PID:2324
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
  2⤵
  - Loads dropped DLL
  PID:320

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2620

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2984

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2812

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2852

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
1⤵
- Loads dropped DLL
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
62KB

MD5
1c1f158cf82ff9136fd7c78f3163b760

SHA1
6bd6325d7b5ce50fd3f164da0ad66412d09642c9

SHA256
4a283416d0d2793b36fa625d6749c9cca63385365b64c29f4befb523eb010cf6

SHA512
69d73c57e6dd416be3432d343d9ab0d7ae216cc491106ac9812db2efee04443321aa85242872795c0f6c310e58a0f8aa93133ad14a2a4f4047ec8196b77a53ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
96KB

MD5
aeefee5904dffa932bf88d5d52b1712b

SHA1
4e1a23c0a088f3993def630bbd9a5515c362ddaf

SHA256
10b0317fbc1e89d52dde5f9f45916823aaa76375d673b6e357ad32e02270b5d1

SHA512
d9279e250ce9e5f96bdd1b40765922349645e89a965dfd605632c4f749b78cecc5dcd1b870869e3281c1b17492bfdff2335b862ba11a01e68ed379a9bbb37487

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
128KB

MD5
ec89f8fbcde783cb674424401a513d5f

SHA1
70cdfc540da079252daeb5bc42049be85cba7cc8

SHA256
806caa275b32f8c9d65042330e1189d6826af31f4c39d4f0e5bd019e9a85e371

SHA512
373f95554543bebe26ce55507e62dd60f9be5defe2fe0dba43e037506d8556640bc39bd08c5d0ccc46805d6a763fcd3aa75a5d847b0920cd02919e12fefd740c

Download Submit
C:\Windows\SysWOW64\vbzip11.dll

Filesize
49KB

MD5
b2e6e421ce433ea3003f0d5d35e30d10

SHA1
48476bd4170ff619a7f2ff121042ef4c2ea2da60

SHA256
ae8619df4128059fa81b958eb57c8271932abcc9a7805ce67802e90c755241b8

SHA512
519aeaac6abfa309773c2294b54aee98966a026cf77182dcb5ce12aa43a924e77ac64b213f147e247f2b388c085cf42fc5dd23358a18ce83a6e08d79322e949b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
102KB

MD5
4d440e50928b12468ce63d09092f7372

SHA1
287e9acde3e573e94e1cd80e16bc2116faf293a9

SHA256
d08cdc4d32e25fc5a2c84308316c92d1d5b7b83e846fd094f9a4b767090eeeec

SHA512
8f238dbf5377084dd03e01dd702d4209c32c27e23b6a4aa053938709f2fe9150e7e73eaf602e8c9a28daab9e8fe98d3ad1883584e175b5ec3ffe54e71926eefd

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
63KB

MD5
b8452910aff4803bc5209189ea80dbd1

SHA1
0f88c105ef9045ad0d60d55dbd3dc1c8914de81a

SHA256
ebaab891964a483d2e71234bd0d83c4ed2250276e3afe304b37e150997c8d759

SHA512
a24ccd3dd3da7498ddb90c86449650aaec5f7bc4c4bfaa2837fbcc2e4985d0a6a6931fc6fdf83bb270f4cf3c48c89ed87392526df1b4d3cb1547cce603a557c7

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
53KB

MD5
77105d1632f163a93d7e206726a5a73e

SHA1
efc4ebc4e13b4509204efedbf30ee9cc04be5017

SHA256
6c7370e39c11be6d6158e840c4eed403966992934e8556ecd49ad53b440d0cef

SHA512
978e710a2d34dc1bcbdc3c1a6bca1c07a291800d999c7ca343f8cb291d8e69fa3aab9f5f8abdb737e65d6acea60e0a1338d7586d56f2f03a66df96a0dc4f4e45

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
92KB

MD5
cb37fd489dc8da98553c86eea986ebda

SHA1
fd3e88dd1a2faaa1211819c35ce49f22a8d47cdf

SHA256
4e1a3792fed3ea7352ee8bdb49d1fd51e2b0f4c84b1bfd503f74bc706f8d686b

SHA512
7e0f6babb6aa5626e10d9765bf35f99d952e9b2cfc5f5679f537c9d2ee10d185ce62ac2485df6abcc4ef224744f329cf512f5765309b8f06845d7921bdf5a67d

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
123KB

MD5
e87d34e5c067ba66992c01ecb67a9eed

SHA1
60ba1fba1a9e8b7995f970b1f1e21e552011da14

SHA256
79f22ebf5e29eddb0428c23375001e4c10f8710c54b1468671b697e8d0742598

SHA512
bb4cb5bf9d5b5c6d2993dddaa8ea870195b6121d4a10c101745c03aa706467284833d475d6e63a4a95da06e0d87aa7ddf182fec81ff2a6ca6379f7d01e0e0060

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
55KB

MD5
5a227e680bde6b96e3388db10754f3b0

SHA1
c47df236e82fa75be7762c1eeb8886a3b84ee4df

SHA256
4ba7ca39b6fb046ed869bb2f8a2a5b31261a8a8e05dd8b447ba1e262f2d0dd47

SHA512
6336c85da810e92c0c1ad481865a4e8343f90c73fe0f07933febe4209ae9c18c83a329fb4f1d92b001b42c298794e53037daf368f247cb5feada502507f68116

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
80KB

MD5
2b8df5e692801e96395c340b37e35d15

SHA1
eec54904d9068408950d487275207023a24c745a

SHA256
727c6b5393b0f80193616abcbbe486fecc57e2d35911204c92932f4d2b9b2445

SHA512
a454e692a457d48d50c5632f34ee4618f9e635ab5c509eb480a664f51c3f152aad655c8005fce8b9931f3a7475cdfa8fc9529a51b373ff9ba28d9ab58a698b95

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
44KB

MD5
b8106f0c29edd0a5a21a827b99e4b70a

SHA1
7fb8ff05c1973317479ef586b3a6942bb2c81a2a

SHA256
336cca21476c0d6a035a9bb9b33a5473cd3710667e1456d06a293e0eedb7a1cb

SHA512
4d7bfb8851e39c826c732101dddd113594992c89bcb3f907e9de8d864e02ef323b87418cf4b81e7dc9d5b8a4a4e4bbe88e35d923890e7a559cc2814f44338d6f

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
82KB

MD5
318a9f257f2db0c6f9cea836a93d4159

SHA1
e725d2ddd29355c9bfaefa8b96e3ee930b24dff6

SHA256
df51913fee643f4b66a5f1534162a515e5eb0f4b13ad86fec5d9d3b1870c7b08

SHA512
75eb1c11b594924f813ed45214a6a94d5dc0210c8c824160355c616f2012b87871b5635b71d126eacc408862daa8d40bee5b0b616a9b2a409a0b79669c4e8dbd

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
71KB

MD5
59d6748a09bfaae103d6534167017021

SHA1
bdf915d3269b4fa8e30f3f72929022f5d739133b

SHA256
a6203ab39df88e3b3467896640118c2f3450087d8c67cf6821e7907c62b396ea

SHA512
1fdc3517b40d042ee2c36c1e32a0df08e72a5981cdb3a552fc3ef272b6a035b3cf2ebe1112a7a241e4fc1d0a11949ad7c5c6f0c73c47d17f4fa042722a1eb593

Download Submit
\Windows\SysWOW64\vbzip11.dll

Filesize
43KB

MD5
41078a0f9149f20df53c21503f5b2ad9

SHA1
bef60c2f9e642668682e2613a16c72fb545847f5

SHA256
a19d3d9a9e498481a43260e3a9b2f63ed5d64c6bd73096c24870955106a2a5a2

SHA512
70ebfd27c7da23b53baed65158b390d1e3d20a24b14e869b3f108025c6068507737705f1099cd2e6bc84bdc7c64ce44e5b011a3c517bf0fbe63c365e85ca218a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads