3e638ccd4baa2b5144ee457b4ee240f91263a9b1395c72e0ad7942b24427fb7c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0af4604df0fd7e19331f98dce24ea765.exe
Size

53KB
MD5

0af4604df0fd7e19331f98dce24ea765
SHA1

88412c41902bc96cb02b15e44b576ec7f9b93076
SHA256

3e638ccd4baa2b5144ee457b4ee240f91263a9b1395c72e0ad7942b24427fb7c
SHA512

aac00b0f643614ddb3ac687b8110a4f958050d274059cadf6742e30dc49129223cb4451033394b45a7e90c2adf194ee427cfb64f5a66539db7868f695918485b
SSDEEP

768:rLp/8oqCLjLlsloNw8LI6T82taM+qdrE/rB6q7h2DJhA:rLp/8lCLjRvLI6T80aMzlOd6Kct

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	exp1orer.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	0af4604df0fd7e19331f98dce24ea765.exe
2240	0af4604df0fd7e19331f98dce24ea765.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\exp1orer.exe	0af4604df0fd7e19331f98dce24ea765.exe
File created	C:\Windows\SysWOW64\a.bat	exp1orer.exe
File created	C:\Windows\SysWOW64\exp1orer.exe	0af4604df0fd7e19331f98dce24ea765.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	0af4604df0fd7e19331f98dce24ea765.exe
2348	exp1orer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2348	2240	0af4604df0fd7e19331f98dce24ea765.exe	18
PID 2240 wrote to memory of 2348	2240	0af4604df0fd7e19331f98dce24ea765.exe	18
PID 2240 wrote to memory of 2348	2240	0af4604df0fd7e19331f98dce24ea765.exe	18
PID 2240 wrote to memory of 2348	2240	0af4604df0fd7e19331f98dce24ea765.exe	18
PID 2348 wrote to memory of 3068	2348	exp1orer.exe	17
PID 2348 wrote to memory of 3068	2348	exp1orer.exe	17
PID 2348 wrote to memory of 3068	2348	exp1orer.exe	17
PID 2348 wrote to memory of 3068	2348	exp1orer.exe	17
PID 2240 wrote to memory of 2544	2240	0af4604df0fd7e19331f98dce24ea765.exe	15
PID 2240 wrote to memory of 2544	2240	0af4604df0fd7e19331f98dce24ea765.exe	15
PID 2240 wrote to memory of 2544	2240	0af4604df0fd7e19331f98dce24ea765.exe	15
PID 2240 wrote to memory of 2544	2240	0af4604df0fd7e19331f98dce24ea765.exe	15

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a.bat
1⤵
- Deletes itself
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\a.bat
1⤵
PID:3068

C:\Windows\SysWOW64\exp1orer.exe
C:\Windows\system32\exp1orer.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\0af4604df0fd7e19331f98dce24ea765.exe
"C:\Users\Admin\AppData\Local\Temp\0af4604df0fd7e19331f98dce24ea765.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
86B

MD5
0b16a4576ac2df857d8a4b57e5200a30

SHA1
3b7d2585074ecb41e5c07c3386c611a1790769ae

SHA256
5488c52bcb0c82055c490c14e78678b6cb0ac8724ecbeee4963b93ded2624b49

SHA512
792e9274f544a90a41f8da13704f545c38ae1a167fa8fe45a9631c4e4b12667e2a26e6f80749369ce2f6363614ede4835b2eccf2b8edd37ae3462e41ea0aeaaa

Download Submit
C:\Windows\SysWOW64\a.bat

Filesize
62B

MD5
6f177d6a0d888cb6f60a71b5cfa533fe

SHA1
502f897cae17f3b3aeb78679f5a234f248fa9785

SHA256
24d99a605b71fcc7e04806ac919390beffb00b28d78d15acf25081eaef6ca9c5

SHA512
3a2f9aee2e8da5b18b34c232c6988d81444632374ccb161c5c81b6817e3be48ec799c26c3c9237655dc692a7ab369d0d99c249495bb4331a23caf2446681da7b

Download Submit
C:\Windows\SysWOW64\exp1orer.exe

Filesize
53KB

MD5
0af4604df0fd7e19331f98dce24ea765

SHA1
88412c41902bc96cb02b15e44b576ec7f9b93076

SHA256
3e638ccd4baa2b5144ee457b4ee240f91263a9b1395c72e0ad7942b24427fb7c

SHA512
aac00b0f643614ddb3ac687b8110a4f958050d274059cadf6742e30dc49129223cb4451033394b45a7e90c2adf194ee427cfb64f5a66539db7868f695918485b

Download Submit
C:\Windows\SysWOW64\exp1orer.exe

Filesize
34KB

MD5
652ebc7838cf8108aa9451af8b66b174

SHA1
32dade4c0e3abac8ba44333e4159cb95e0c26428

SHA256
919438a4ddc93c9a512d3093e50abd9a385f43a32e05cfe75c937a0858494ed6

SHA512
ac109ecf8d924d6aadcd8d73ba2faf9976dc999cd90cf338fdf7cb7216e6e0f785f68d5ad6957bf6c2e032a14de6a26cfe9195ce14039f6485cfb517073a4f75

Download Submit
memory/2240-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2240-6-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2348-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download