12f27fea929f11c679b764a88a3089842a958534b97b46bef2908c05e2780492

Analysis

max time kernel
121s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e3bbd637b5545c596fd145f184dce4d.exe
Size

276KB
MD5

1e3bbd637b5545c596fd145f184dce4d
SHA1

426c55026e7f84c7a937b5562022c40593d8e6f8
SHA256

12f27fea929f11c679b764a88a3089842a958534b97b46bef2908c05e2780492
SHA512

3ebee45e2a5eabbfa76998c53c768b4c55af3e4686eaa29439c87ffd88d4ef4e09c44ece479e2958fd308e3ca6e1d971f99b97f7db1c2410a4ddd441d809cc68
SSDEEP

3072:jj1MmU5oqP48aNZhmuObQKazLzF/sL9zbEo8BOSsRLl3TsuZfD:jj1Fa43OkbsRnEo6OS8LhwuZL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	jeuutd.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2432	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2556	2584	1e3bbd637b5545c596fd145f184dce4d.exe	29
PID 2584 wrote to memory of 2556	2584	1e3bbd637b5545c596fd145f184dce4d.exe	29
PID 2584 wrote to memory of 2556	2584	1e3bbd637b5545c596fd145f184dce4d.exe	29
PID 2584 wrote to memory of 2556	2584	1e3bbd637b5545c596fd145f184dce4d.exe	29
PID 2556 wrote to memory of 2916	2556	cmd.exe	31
PID 2556 wrote to memory of 2916	2556	cmd.exe	31
PID 2556 wrote to memory of 2916	2556	cmd.exe	31
PID 2556 wrote to memory of 2916	2556	cmd.exe	31
PID 2556 wrote to memory of 2432	2556	cmd.exe	32
PID 2556 wrote to memory of 2432	2556	cmd.exe	32
PID 2556 wrote to memory of 2432	2556	cmd.exe	32
PID 2556 wrote to memory of 2432	2556	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\1e3bbd637b5545c596fd145f184dce4d.exe
"C:\Users\Admin\AppData\Local\Temp\1e3bbd637b5545c596fd145f184dce4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\hlpedis.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\jeuutd.exe
    "C:\Users\Admin\AppData\Local\Temp\jeuutd.exe"
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbxgkg.bat

Filesize
156B

MD5
91903d1945ef34fd4cb0f5770e0b7cd3

SHA1
5a40bf596aec1ce3a47179e656fd7aab090ad148

SHA256
220a174f89e9cf6732df3f181063e1eab58ab2307114dfce4ffed6813c2a269c

SHA512
05c2b92e966d768e5ab248607a4842e162668f3e843f33dfcd1c0e143c2e6c994feff43f7e0222a43e3a8b1e7d1b489b041bc1c5bcb295bec1684195b0387f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlpedis.bat

Filesize
124B

MD5
afd1cf2f4690d9f15774e33553ca104c

SHA1
2db9f009da371299ba0ad87c29894e028b2573f4

SHA256
0ba454f82b46939f99273472e03481e233522844a11c9724e90a075cc22f34ff

SHA512
c24aa879f6fe8cbc85235866b0002f41da108f670326c61a415e3074d545f291739b3ccaedeebd5e8dab4285a69acbf2be543ae0ec2e20baa091d46cde3dc50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeuutd.exe

Filesize
176KB

MD5
cca8841d51ff112d587559f38361454d

SHA1
8de9cc4c06ae22400cbd4546253d0a84502180c7

SHA256
9b17f60f8b9e4490fc2dec60de100cf01d4abfc42ec9eccf1c8410b8b4dd0909

SHA512
3bb54aae371ab0b645cf835ddc7e12122bd66676b39c19a9de84e69e12d5c35ab78e3a5dafa5ca0940171395e4563ea9562c62fdc37c6eefff01709172864af7

Download Submit