7c63d9b4328dcdb60631613098bd802338c293a140976f2aace56651cedeb768

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b8f21a7b508f8ab53e37d9c6a66e098.exe
Size

699KB
MD5

2b8f21a7b508f8ab53e37d9c6a66e098
SHA1

a7950828ce474026cd1a448811d95a3b899aaff4
SHA256

7c63d9b4328dcdb60631613098bd802338c293a140976f2aace56651cedeb768
SHA512

29f5168161029aaa2a27a18d6b863c762992046cd5ad088fed3cf9277ad1871aa35162925a30aa332d6841b61aa316ed98da4b4b336f20b7d5d4c8fd81a2be49
SSDEEP

12288:f2Pn6uN/0C3vUKIT46PT0P3O+jIazaVKyXzsX5AopoJOTMsIsLO1eL8WQRa5V1D6:ePPNsC8jT46IhkoyXMAopoJbszLO1s8Z

Score

8^/10

evasion upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2544	svchost.exe
2280	svchost.exe
572	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2576	cmd.exe
2576	cmd.exe
2544	svchost.exe
2544	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2624-68-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IIS\uninstall.uni	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\svchost.ini	cmd.exe
File created	C:\Windows\SysWOW64\IIS\remote.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\scvhost.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\setup.bat	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\svchost.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\mirc.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\radmin.txt	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\scvhost.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\download	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\nt.dll	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\radmin.txt	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\remote.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS	attrib.exe
File opened for modification	C:\Windows\SysWOW64\IIS\svchost.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\aliases.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\hex.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\moo.dll	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\nt.dll	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\svchost.log	svchost.exe
File created	C:\Windows\SysWOW64\IIS\svchost.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\hex.exe	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\mirc.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\moo.dll	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\moodll.mrc	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\setup.bat	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\svchost.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\regedit	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File opened for modification	C:\Windows\SysWOW64\IIS\secure.bat	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\uninstall.uni	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\aliases.ini	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\regedit	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\secure.bat	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\moodll.mrc	2b8f21a7b508f8ab53e37d9c6a66e098.exe
File created	C:\Windows\SysWOW64\IIS\svchost.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2624 wrote to memory of 2576	2624	2b8f21a7b508f8ab53e37d9c6a66e098.exe	28
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2544	2576	cmd.exe	30
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2184	2576	cmd.exe	31
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2576 wrote to memory of 2996	2576	cmd.exe	32
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2576 wrote to memory of 2520	2576	cmd.exe	35
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36
PID 2520 wrote to memory of 1224	2520	net.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2b8f21a7b508f8ab53e37d9c6a66e098.exe
"C:\Users\Admin\AppData\Local\Temp\2b8f21a7b508f8ab53e37d9c6a66e098.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\system32\IIS\setup.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\IIS\svchost.exe
    svchost -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2544
- - C:\Windows\SysWOW64\attrib.exe
    attrib ../iis +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2184
- - C:\Windows\SysWOW64\net.exe
    net start "Microsoft Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Microsoft Security Center"
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\net.exe
    net start "Microsoft Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Microsoft Security Center"
      4⤵
      PID:1224

C:\Windows\SysWOW64\IIS\svchost.exe
C:\Windows\SysWOW64\IIS\svchost.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWOW64\IIS\svchost.exe
C:\Windows\SysWOW64\IIS\svchost.exe
1⤵
- Executes dropped EXE
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IIS\setup.bat

Filesize
1KB

MD5
18434187777258b204811e0e92f1a4a6

SHA1
497982768b77961a3d27769848eb7c4f24cf67f2

SHA256
0b2d604cdc96f1d0c4296e8ef9fba791a0f1d093716704f2b614c614c71dfa4f

SHA512
5f63b2dbba02d308d850ae5e79a51c44fc63fb18f7dad2bfa6a203cc4f4747737e7cb7c4b7dd73c9275280602381c823f103583786a71d12915c08ea1ccb542c

Download Submit
C:\Windows\SysWOW64\IIS\svchost.exe

Filesize
52KB

MD5
ea2e9e72f5bc8ac2549b325a757d321d

SHA1
82968811c3329c44edf796acaaf3f04618f99d97

SHA256
0a01c68ae7b981ac52dd86b91daa1443f0fd95e3151b64223d7d4f5a5954ff48

SHA512
6acae9b5da3757384c350b7800085948b7302ddb0386150304db3fbdeeedf9e066da29d8c4bd769c88446326ab5c32e81639021b14a83d5b77039b2855c6ef07

Download Submit
C:\Windows\SysWOW64\IIS\svchost.ini

Filesize
452B

MD5
4cf359339a9d20b8c0427b0ffc941968

SHA1
e31807926d4e2f5ac367ea7aa8bf6ff8a880ee74

SHA256
a81faf47f99a2954970bc7f3596784dbc911f649567a1491ca8a87d450582236

SHA512
033e7e0a4944f6ba33c034b6280687e33134259286fb3c1461ea408fef4d94b9e1bcb8148e3e2fd321b6a1c481dad4c30c74fdbeb031da4f3106700dfcefe2ef

Download Submit
C:\Windows\SysWOW64\IIS\svchost.ini

Filesize
452B

MD5
bae3cfd4c21122054c22c0a4a6cc79ec

SHA1
37c81139c8af268ff56b2f82d6998aa29ffa8f7d

SHA256
0e25c4b27e228813ed1968f60bd468b57c8fc4bc2b9f7a37cad883c2be4a6550

SHA512
97a8b9fb757dd9cbf1990afc8437041fa5d442537b0256c89bdea18b0e9b62142101026f826e231b7221db0889323b3f835c0cd10f1989f92bdeb01e07deac15

Download Submit
memory/2624-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2624-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2624-2-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2624-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2624-69-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads