eb02ce12bdceef190edb2215e9bb3e2204ec94b0e5f66b58b71b5de34e7ef3c2

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03a9600041bd29e0a2748412d087c0a9.exe
Size

16KB
MD5

03a9600041bd29e0a2748412d087c0a9
SHA1

35330a96fc99c365b9c6d4c0027d7028792fa034
SHA256

eb02ce12bdceef190edb2215e9bb3e2204ec94b0e5f66b58b71b5de34e7ef3c2
SHA512

726ed45b669ffd9a4e9fdb4a47128bcd0323cab13e8e9fa3b63c8fb0b84a552cfa030ffe8c8dc1bee606e07eb979c670a9c7fbf676e1c73925e162dcd2275b4c
SSDEEP

384:z19lPb5fOI1gUFkgR2uRaja4af18SFlcbvwdYa5prC9:5X52Sgf1+18UljpprC9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2080	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NfIpv6.ocx	03a9600041bd29e0a2748412d087c0a9.exe
File opened for modification	C:\Windows\SysWOW64\NfIpv6.ocx	03a9600041bd29e0a2748412d087c0a9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\NfIpv6.ocx	03a9600041bd29e0a2748412d087c0a9.exe
File opened for modification	C:\Windows\NfIpv6.ocx	03a9600041bd29e0a2748412d087c0a9.exe
File created	C:\Windows\GoogeTmpCache.ini	03a9600041bd29e0a2748412d087c0a9.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1608	sc.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2164	03a9600041bd29e0a2748412d087c0a9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	03a9600041bd29e0a2748412d087c0a9.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1728	2164	03a9600041bd29e0a2748412d087c0a9.exe	28
PID 2164 wrote to memory of 1728	2164	03a9600041bd29e0a2748412d087c0a9.exe	28
PID 2164 wrote to memory of 1728	2164	03a9600041bd29e0a2748412d087c0a9.exe	28
PID 2164 wrote to memory of 1728	2164	03a9600041bd29e0a2748412d087c0a9.exe	28
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 1728 wrote to memory of 2080	1728	cmd.exe	30
PID 2164 wrote to memory of 2204	2164	03a9600041bd29e0a2748412d087c0a9.exe	31
PID 2164 wrote to memory of 2204	2164	03a9600041bd29e0a2748412d087c0a9.exe	31
PID 2164 wrote to memory of 2204	2164	03a9600041bd29e0a2748412d087c0a9.exe	31
PID 2164 wrote to memory of 2204	2164	03a9600041bd29e0a2748412d087c0a9.exe	31
PID 2204 wrote to memory of 1608	2204	cmd.exe	33
PID 2204 wrote to memory of 1608	2204	cmd.exe	33
PID 2204 wrote to memory of 1608	2204	cmd.exe	33
PID 2204 wrote to memory of 1608	2204	cmd.exe	33
PID 2164 wrote to memory of 2744	2164	03a9600041bd29e0a2748412d087c0a9.exe	34
PID 2164 wrote to memory of 2744	2164	03a9600041bd29e0a2748412d087c0a9.exe	34
PID 2164 wrote to memory of 2744	2164	03a9600041bd29e0a2748412d087c0a9.exe	34
PID 2164 wrote to memory of 2744	2164	03a9600041bd29e0a2748412d087c0a9.exe	34
PID 2744 wrote to memory of 1748	2744	cmd.exe	36
PID 2744 wrote to memory of 1748	2744	cmd.exe	36
PID 2744 wrote to memory of 1748	2744	cmd.exe	36
PID 2744 wrote to memory of 1748	2744	cmd.exe	36
PID 1748 wrote to memory of 2668	1748	net.exe	37
PID 1748 wrote to memory of 2668	1748	net.exe	37
PID 1748 wrote to memory of 2668	1748	net.exe	37
PID 1748 wrote to memory of 2668	1748	net.exe	37

C:\Users\Admin\AppData\Local\Temp\03a9600041bd29e0a2748412d087c0a9.exe
"C:\Users\Admin\AppData\Local\Temp\03a9600041bd29e0a2748412d087c0a9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /A /C rundll32 NfIpv6.ocx,RundllInstall IPRIP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 NfIpv6.ocx,RundllInstall IPRIP
    3⤵
    - Loads dropped DLL
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /A /C sc start iprip 'cmd' 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\sc.exe
    sc start iprip 'cmd' 1
    3⤵
    - Launches sc.exe
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /A /C net start IPRIP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\net.exe
    net start IPRIP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IPRIP
      4⤵
      PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NfIpv6.ocx

Filesize
9KB

MD5
0bf3958edf3aa13db311c476ae2b1771

SHA1
fdfd769d3e8edc25d9e3e844efb02ca58044b3af

SHA256
38cdd82fc0ee31367ca6209b580cbfb69c5d35329aac0880d9f7feb8da3c340e

SHA512
97d90bde097d81d9e2a1127a97870a46d01b25743c60c8980ec4dfc3e3490635575deb22cc73d659a3a5fc1b3b951165a8606d7f469ad7f0e5f0a60034afc36e

Download Submit