14c834944d6ea5bfc3fe353553f1c4c563cdd290415a59e235b8a0a25823b467

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f655668c02c2bd2212ac10dfc99c1e0.exe
Size

1.8MB
MD5

5f655668c02c2bd2212ac10dfc99c1e0
SHA1

f7a56718026c1c907b1615eace3d123a635a336d
SHA256

14c834944d6ea5bfc3fe353553f1c4c563cdd290415a59e235b8a0a25823b467
SHA512

e1db61b17559781ade52afd1a49f4543dd4ae2b0ff42425a6974545657645f99992bc657e0626a0faef75498598d477b58c342c637002cfae916231b364a046c
SSDEEP

24576:ARPUjqHQzJXyRp8YKmvwasel3Rp4RSBQ/iNgC5waeh/olAWg5uL+HHse:ARPiccByz8ZWj1Hcaa/olA0L+HHse

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2448	update.exe
2724	Robolet_YouXia.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	5f655668c02c2bd2212ac10dfc99c1e0.exe
2504	5f655668c02c2bd2212ac10dfc99c1e0.exe
2504	5f655668c02c2bd2212ac10dfc99c1e0.exe
2448	update.exe
2448	update.exe
2448	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	update.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2448	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	23
PID 2504 wrote to memory of 2724	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	22
PID 2504 wrote to memory of 2724	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	22
PID 2504 wrote to memory of 2724	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	22
PID 2504 wrote to memory of 2724	2504	5f655668c02c2bd2212ac10dfc99c1e0.exe	22

C:\Users\Admin\AppData\Local\Temp\5f655668c02c2bd2212ac10dfc99c1e0.exe
"C:\Users\Admin\AppData\Local\Temp\5f655668c02c2bd2212ac10dfc99c1e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\Robolet_YouXia.exe
  "C:\Users\Admin\AppData\Local\Temp\Robolet_YouXia.exe"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Robolet_YouXia.exe

Filesize
803KB

MD5
b91ed6d5b4a7c754538e1ade55a74a9a

SHA1
8de59e7bf6eafcbe4eaa7aa472715c0956ae5016

SHA256
ff7fcf4f578a0f59063cfb6d2f3390e4ab0db4086cc72a3bbf8f42c9cf931545

SHA512
59306715c52af0c34131fa9f1a5ff1b01d20d800cece49f9972ec4a533bc02810fba40c27802b31e28fd46d7ce5275d4f6bafcddd3aa9b08b9ecbb05e52c10cd

Download Submit
\Users\Admin\AppData\Local\Temp\Robolet_YouXia.exe

Filesize
436KB

MD5
efd1058a4d35e35028d7d92626f59ed2

SHA1
6c09b2a6bf6b66ca2566a0aa71cc526a00ebd275

SHA256
69a318a8d89205545a28752a026c9053d494e022d1860c28b41b2b21c268b078

SHA512
a6d6c7478cc9a42d652c7a2a484ccccc57a6143d285415621af1358b7ea0f1f7e45439b5bfdc01fecd6a3eb5a56a601bd57091eb3f7a58f05dd916ce79620726

Download Submit
\Users\Admin\AppData\Local\Temp\Robolet_YouXia.exe

Filesize
471KB

MD5
0511038a79cf9ea718c0c4a2da8b2d1d

SHA1
39338ec6012c2ebb085ebf0764ef69f7dc633cea

SHA256
2344d72712323f9bf9c2dc918a02831f29642cb492d1a49008dc72fb401e2da5

SHA512
83eb50f589f19f47e887baecaaaf3bc6bff64a1e82390e7e58a2af4a32e024b5283b361607f7e388a33e785c6b0c752dc9c5cc999e3a58dc38155aa30bb148cf

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
32KB

MD5
07bb3c62d66b69fea71e2c86d7ed283e

SHA1
a6007843e4c42f890c9d6059d5ddff9f128571fc

SHA256
f96a4fc4150d2e33a93fcd0525eb54ade80fe0f827fd28a6c76fa5676effddaa

SHA512
cfdfacf6b4f2bbd1c18959484c5c515514a73ffe432de6bf83eb48389a21195db0e8f5f0cbf80731810a6ec3a3a63535af924f355aa6837a286007a02915af6b

Download Submit
memory/2504-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2724-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-24-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download