6424b7f5bcf75dbdc4f036363cc54be98707a5dc17743a5034375d9001d1c2e6

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32b9ab638ae4cbb56acd11493c960a3d.exe
Size

78KB
MD5

32b9ab638ae4cbb56acd11493c960a3d
SHA1

03162a8af11632ba2fbfe90e4da3d432c263efb9
SHA256

6424b7f5bcf75dbdc4f036363cc54be98707a5dc17743a5034375d9001d1c2e6
SHA512

98d001ac00440634e9bcd4437888ef9db277197268bab9d1243f5959726f3bb3e06a94c47b17715b007156c332167b4cca4080098ad5b854c8cf3911a2fbcc7e
SSDEEP

1536:3a1ovwQleWu5YtoAmosnXddlDI+vlkKlLB/Jx8K1U3/ef:MQle9UoAmosntHvlkOLB/z8A8/ef

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2940	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\db\PayPal.vbs	32b9ab638ae4cbb56acd11493c960a3d.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259427884	32b9ab638ae4cbb56acd11493c960a3d.exe
File opened for modification	C:\Windows\SysWOW64\db	32b9ab638ae4cbb56acd11493c960a3d.exe
File created	C:\Windows\SysWOW64\db\run.vbs	32b9ab638ae4cbb56acd11493c960a3d.exe
File opened for modification	C:\Windows\SysWOW64\db\run.vbs	32b9ab638ae4cbb56acd11493c960a3d.exe
File created	C:\Windows\SysWOW64\db\PayPal.vbs	32b9ab638ae4cbb56acd11493c960a3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28
PID 688 wrote to memory of 2940	688	32b9ab638ae4cbb56acd11493c960a3d.exe	28

C:\Users\Admin\AppData\Local\Temp\32b9ab638ae4cbb56acd11493c960a3d.exe
"C:\Users\Admin\AppData\Local\Temp\32b9ab638ae4cbb56acd11493c960a3d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\db\run.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\db\run.vbs

Filesize
1KB

MD5
f460176e769893c64086f17a3d135029

SHA1
75ac1673355db3c8bf67a967183a71c63a4cb1f7

SHA256
3c16d31e11071fb8e3c8608c9b58600ea58b57779efed08e60f3ebd7daa5effe

SHA512
1d3d1ac2efd628c91060688f420f0339bb09f485072c68c4871e7e2486fe6c6eccdacc7955a109227034b5cee68307cde33818ea1a97d7c3656f5bae5bf57a81

Download Submit