4d8ee5361e4b6544235d0664b01974807032fbe6b801272b00387c7095284ce5

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3975ff2aa7b5d7b9e15c411bf1501c8c.exe
Size

20KB
MD5

3975ff2aa7b5d7b9e15c411bf1501c8c
SHA1

b5555fb6bda3ddc24924c49c254a6d6e44a82ba3
SHA256

4d8ee5361e4b6544235d0664b01974807032fbe6b801272b00387c7095284ce5
SHA512

cc1e412cbabfe02a8bd76aadb5bd649b46ccba8be5dbeaa62f611c89acfa35beaf1c2bc2dad867335ebe566ef5e39a0301901978a9af849ca314921b9275d28d
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBWXhg:1M3PnQoHDCpHf4I4Qwdc0G5KDJ8g

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	3975ff2aa7b5d7b9e15c411bf1501c8c.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AE 0124 BE.bmp	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
File opened for modification	C:\Windows\AE 0124 BE.bmp	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
File opened for modification	C:\Windows\Msvbvm60.dll	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
File created	C:\Windows\Msvbvm60.dll	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
File opened for modification	C:\Windows\AE 0124 BE.bmp	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1708	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe
2764	winlogon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2764	3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe	28
PID 3068 wrote to memory of 2764	3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe	28
PID 3068 wrote to memory of 2764	3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe	28
PID 3068 wrote to memory of 2764	3068	3975ff2aa7b5d7b9e15c411bf1501c8c.exe	28

C:\Users\Admin\AppData\Local\Temp\3975ff2aa7b5d7b9e15c411bf1501c8c.exe
"C:\Users\Admin\AppData\Local\Temp\3975ff2aa7b5d7b9e15c411bf1501c8c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
1⤵
PID:2800
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  PID:1616

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.bmp

Filesize
20KB

MD5
6cff4daf3855c4886581bc107d7a3544

SHA1
06fa2e51cdd0b9bcd6cde87295bf8c70e4aeb57d

SHA256
fc3cb826d6ae416b12ba16a50624baf81f4a37d45d4c5bfc8928071b30fde5b3

SHA512
02586f618d9605ffcba9a83e8d4a62e53f8ff65c66d0e020844869932e259c66ca696766f0adafffa297e36648bcdb98287f9f172db72881a1f57ac801eb26aa

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
27KB

MD5
9b3d2c8d2abc2c6b902a01e145fafd3e

SHA1
9ed020af161b83f5a52d55abca2466119fb8116c

SHA256
f47ac97da89dae1208254a6f181471955c481d2114ed8e629e292f3c2b16fffe

SHA512
a4ff5ad8862d71210e166303f1bbf5dc6bf7115a446c249eb6c49d57a170734d5cb5354b7d3a17be079fecb33be220f4a94054b512c5d36eba90e06caf68eba4

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
60KB

MD5
f2242d86fc9c652ac449741af95b3810

SHA1
5b055acfb1ba4cde4702d53f1aed7748f863e41b

SHA256
1717e44a7f37847c77f0ea999da229946f0d9ca30b82d196ceba43b0bb1d19d7

SHA512
7ee3856a5227180938272d66ff03280360bbca443e2373172a20a8e3aaa7065a4a2ad707f20007ee23ff4ace838b53f17e07ef940c57fdb698c66cf04d043edc

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
60KB

MD5
c7a617db98a1801bebb568958418b3fd

SHA1
dbd7e6c6ce4abba4ec16cfa296e3c3da6404a731

SHA256
63b934a4d1b8cf6cb026c0b54d2e874c0b14153af14d635a3c5d77f024a57830

SHA512
8e36cb078996584589bbfee8d6bf1d014f7f003be52a9de9822a8229bf60017cfc6b2e78e34b7e2c47bb46ae00f551a308ee4af89283637d5835295a50f571dc

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
32KB

MD5
c5c8bf5d826fc4b9aed93b47488535d7

SHA1
b7a0c9698b0194ee12d07b2a8690ee8220e4eebf

SHA256
e939187c46b8b056ab56dcb1fac32ebec4aba56c495a936cc10ea97bb5b5404c

SHA512
186a7f1022b2672612285e6427a98f7573703e41d3b04fc24f5af5b6383e629e986b72e6bf6a621fee305a2e918753a74d3e2bb1ffb58410e0af0aab2a7c79a1

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
b4eb44cef0dac9767ea5077c089e331c

SHA1
6de110c656f61278df3657d897e1187d014aa2c3

SHA256
6ce7d15fbc50c4add0582ca47b5ce8ffe53ad5ea347c345ad7e3f9d668b342fa

SHA512
f21c4733a7a8e67abf95a573660c5822b3a5382db692162bde399fef3438ff685a8e9d9fdd009fd0a5d6cc007f7e4dd0a024a2d1e78b9de5800df8caa27219b3

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
24KB

MD5
8ee41fc4734f081893966659505ddbe8

SHA1
fd94be01d6ef438869b5d3fbac4b651306ec1336

SHA256
1ad722b94a1f8123457383db0633a18620ec1b6a53e764906f11ebba9d186e90

SHA512
9dfba51b335f41f33f1456cb763f1941568b1a6affdc68964d31ccfceca694a1333a6d53322b87c9a344225c952206eaa79d32823602565f256c4777a90fb36c

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
36KB

MD5
3b5b79c898f4d3a1ff0079d7c877454e

SHA1
bccf723d9d777f683fdc901c879d8cec9d19d503

SHA256
76c736e5fff8f627c5b11b3f41514148486303ac71c1688273218e09cdb2d1a3

SHA512
20ce14874221c7d05e86fb548676bd56b8e86d951397304bc33a7cd1315fce357bc5484c174b35a4d3ebf6d766dea7596b7a305a9643ce31d7923872e3e03b7d

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
6KB

MD5
d66c24d38a0b145de98c7505d5888fc4

SHA1
e0fbb7edf8419168741d788a7a0c8d844f713984

SHA256
17bca5085c944672a8019e51e95847d84c85531f56b29ff0c68f23ee8384d63c

SHA512
821dc79c82f60cf8117995e31ec31aef4a8320aab2f759aa5d2530e72d2434fdeae9a39027b8765e4a4cbb6ab98e7c97303a795d9eb82a4287937bc4a7805f68

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
45KB

MD5
25a2e1a9c9bff65aba3f62e486f45ecb

SHA1
5bcb4b0c55fa1bbaec07f3e058770b56993266f4

SHA256
12fd497c116a6aa95017f90b67d469373f580ae2268c8aa38b932c3282cd5897

SHA512
02db772e7ca5c774c0bcfc4f7465e93719a121949eb9891fe3786c80e8f9ccbc5ee3891a147e20e1173932343446f081fe13dd36fdfb44e663a81e6511ba43c7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
7KB

MD5
5a0821aeb1a0b3d81f1ae019bce387bc

SHA1
292f1542c63858fcd6248dc24bdb88f074cde4f0

SHA256
58b55f8c092e839e55f737c141fa070b0229899c709df7f77066c66b2b4c526f

SHA512
c3b24f334bfb6d53859ccd2341ff74be3fece06a53907c349aa4ef072d9bd295620abccfabed920bc339e9c4731821c2521363609b2c49b5bf50232e31838ce2

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
24KB

MD5
9274f7baaebcde90ab64cbe4a1ceef0f

SHA1
19c63691a74d94c2c70d669181d1b654b8b6429b

SHA256
965554690d2b40d373ee7ebfb56b679dae57e54acab55fd428999bf0d7a8efe6

SHA512
a7d29160f6bd14f0ef01a3009dbc810fc88df65ed01eb5b0ffc6ed91f96e3b5f9bb5411f5672ad9ce478e4f4f0e45d679e801c32982b7886593e4e0d37dad864

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
17KB

MD5
ede7db45a57af12b10e83c215c1f1f1a

SHA1
4b757393e5e737b6fe612d043b11ea55726edf4e

SHA256
92887a2f31ea24a33ad912a74071086f384f49237b273e7bf143eaa59858ced1

SHA512
3cf91f4f0bfc00aabda80d167baf9d4a330d35bc77458c450bfee1bece2e862ad21f67d0e72fc6a15b02097bc7b7c13d41aba3d97ac666ca11cda55c74b4b660

Download Submit
memory/1708-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1708-6-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1708-341-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2764-48-0x00000000039E0000-0x0000000003C20000-memory.dmp

Filesize
2.2MB

Download
memory/2800-49-0x0000000003F80000-0x00000000041C0000-memory.dmp

Filesize
2.2MB

Download
memory/3068-5-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/3068-13-0x0000000003F50000-0x0000000004A0A000-memory.dmp

Filesize
10.7MB

Download