c1fa99aa3a9ce6b5a5d5c7cc4865e59c8bfd384e340c0e59f256611b2ca830b3

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5268f2df3b52b5e1e5120a489ab7bc2b.exe
Size

2.2MB
MD5

5268f2df3b52b5e1e5120a489ab7bc2b
SHA1

0ef65cecc9b30c07d162a1728d87341b9db18c20
SHA256

c1fa99aa3a9ce6b5a5d5c7cc4865e59c8bfd384e340c0e59f256611b2ca830b3
SHA512

1a00a0027cae406fde152be9905a3fdf9708e25c277be2d60b0b06550f55275488ed03ac8c081e667b85dfdc0f041e94dee012730291ecefdc7e2cc7f7bd9f90
SSDEEP

49152:UInR2I9LGMBJvUZPjkG5c7Ua9IeWooJIgylX3yQKiZ7eBy:mI9SMBJvUZPjkGqgaZUJBUHy+kBy

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygGeoIP-1.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\install.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\service.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\upload\working.txt	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\winback.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\csrss.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\csrss.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggcrypt-11.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggpg-error-0.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggpg-error-0.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggcc_s-1.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygGeoIP-1.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\upload	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\winback.ini	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygcrypt-0.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggcrypt-11.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygiconv-2.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\service.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\upload\working.txt	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\winback.ini	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\lgd.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggcc_s-1.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygintl-8.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygintl-8.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\Config.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\Config.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cygcrypt-0.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\service.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\lgd.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggnutls-26.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\Root\cyggnutls-26.dll	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\__tmp_rar_sfx_access_check_259416511	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\install.bat	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\daemon\$dll\service.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe
File created	C:\Windows\SysWOW64\inetsrv\daemon\$dll\winback.exe	5268f2df3b52b5e1e5120a489ab7bc2b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	5268f2df3b52b5e1e5120a489ab7bc2b.exe

C:\Users\Admin\AppData\Local\Temp\5268f2df3b52b5e1e5120a489ab7bc2b.exe
"C:\Users\Admin\AppData\Local\Temp\5268f2df3b52b5e1e5120a489ab7bc2b.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads