Overview

overview

7

Static

static

3

084e8ab275...b3.exe

windows7-x64

7

084e8ab275...b3.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    084e8ab27551ad960621911c161997b3.exe

  • Size

    50KB

  • MD5

    084e8ab27551ad960621911c161997b3

  • SHA1

    c16f00cd9deb909030ffd55157020b232b57c5fe

  • SHA256

    af5eea14ad04a02d4734fb1ca43601a93eb3cc1f472cf743f185033bf55a0eaa

  • SHA512

    608c2ff0e230b26f368e8bd1426241dda5560aa4e35e1e62f11dcff3dcd29155d81966a97d9e8be4951fdc5322d998299ffa5ba71542e280c2e2e16eabca1536

  • SSDEEP

    1536:rVIAfXxrfGzH+5tAnpTSLqTqaKroS4XQW:265OScn5jQROQW

Score
7/10
evasionpersistencetrojan

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\084e8ab27551ad960621911c161997b3.exe
    "C:\Users\Admin\AppData\Local\Temp\084e8ab27551ad960621911c161997b3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fzxgpmmp.bat" "
      2⤵
      • Deletes itself
      PID:2884
    • C:\Windows\SysWOW64\spooIsv.exe
      C:\Windows\system32\spooIsv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Windows\SysWOW64\hmvbe.bat" "
        3⤵
          PID:2776
        • C:\Windows\SysWOW64\Isass.exe
          C:\Windows\system32\Isass.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Windows\SysWOW64\xptq.bat" "
            4⤵
              PID:3016
            • C:\Windows\SysWOW64\iexplore.exe
              C:\Windows\system32\iexplore.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2364
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Windows\SysWOW64\snozowv.bat" "
                5⤵
                  PID:2784
                • C:\Windows\SysWOW64\algs.exe
                  C:\Windows\system32\algs.exe
                  5⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  PID:2880

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\fzxgpmmp.bat
          Filesize

          202B

          MD5

          bc9472019a7f49551fbe0da96633d93f

          SHA1

          c8b8b980680ae1695374aaaa2367214a9a927bc8

          SHA256

          ef49f08bc3bdd96b5c307445bae447d0f19607b64ee5817fce1f99b18ffd90fc

          SHA512

          becc229920ee0d9111ecb4b72f6b2af255057c8210222dfadc11d72e84e8751dfa06aa7eb190097b86e7b48acbf0d888456cbf75b9ba00cee126331bfd38b887

          Download Submit

        • C:\Windows\SysWOW64\hmvbe.bat
          Filesize

          124B

          MD5

          2441cb1a60ddab5a190500cd4e566a60

          SHA1

          5cbb50f49a59e52b75d4a30c39dd6214b864b0e6

          SHA256

          7a0eed097d5e9061bbcea24c05d663746af6ad2c7f17f42768e6085a8b8a4dde

          SHA512

          2458194261999c62ef7c03a56cfc840a8ac47893f4285da7ab4cd7904c71b320593416a6c08990f3cdb0a74e521be4f4825c126a42e4bb4e0a5c9c78befc4875

          Download Submit

        • C:\Windows\SysWOW64\snozowv.bat
          Filesize

          129B

          MD5

          b53ab126def681231500079515d81e26

          SHA1

          ddb8a566df5cdf3525b056b2da31796856dcc5fb

          SHA256

          3709dd2e7bfe949bf3b9b2770c9b0ad0d0dd8d3effd232dc5b154637a2d5b75c

          SHA512

          ec731be3a3f92a610b27b09eb692d4d7a113e441c324dfcd6dc375a0f542253c6ce74a91be4be345c5a29a60086add0d4581b504cd14e99163f80af38b057d28

          Download Submit

        • C:\Windows\SysWOW64\xptq.bat
          Filesize

          117B

          MD5

          f1b4f94107cf526daeb3aac174e9f0d6

          SHA1

          47410518bfb4ad746d1f627228242f89748c5f44

          SHA256

          c6f49695ad22490e52799f79d6d96c58ea542e6887badbe6e4c3b179ec2fc2ac

          SHA512

          b59fa5301d527500d28319a373a1bc0aa9436a2f67c295702ccbe7d171004d104b4c810c7ee12da6f4c22e2c0e0328df57a6db936ddcf4814a67cae51791d40b

          Download Submit

        • \Windows\SysWOW64\spooIsv.exe
          Filesize

          50KB

          MD5

          084e8ab27551ad960621911c161997b3

          SHA1

          c16f00cd9deb909030ffd55157020b232b57c5fe

          SHA256

          af5eea14ad04a02d4734fb1ca43601a93eb3cc1f472cf743f185033bf55a0eaa

          SHA512

          608c2ff0e230b26f368e8bd1426241dda5560aa4e35e1e62f11dcff3dcd29155d81966a97d9e8be4951fdc5322d998299ffa5ba71542e280c2e2e16eabca1536

          Download Submit

        • memory/1820-90-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2080-19-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2080-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2364-86-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2364-87-0x0000000002A90000-0x0000000002ACE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2608-63-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2608-42-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2880-91-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download