77f169cee182b027c2c6d94523033f6035b15ba557e2904a641fe1290143b8be

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b10c93a5ac7fd2e1f74fbd857010153.exe
Size

19KB
MD5

0b10c93a5ac7fd2e1f74fbd857010153
SHA1

ef5054721856f40a9a5ccca137ff03d2a18512d3
SHA256

77f169cee182b027c2c6d94523033f6035b15ba557e2904a641fe1290143b8be
SHA512

e5147247dfa87ba49d0c65c157d60d778910bd04cd5c12511e4cc5db8771023a62d6724cbd6a52acafe4734eeff813e86e33f1984c6699601790345fa3d06264
SSDEEP

384:mTW/WRX7GOur0cwHwhF0JD2oOJfG/dl6NR6LDaJug4VaDP:ieg0F0JbHj6NRXJugywP

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\6B0B7E94\ImagePath = "C:\\Windows\\system32\\6B0B7E94.EXE -p"	0b10c93a5ac7fd2e1f74fbd857010153.exe

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	6B0B7E94.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\6B0B7E94.EXE	6B0B7E94.EXE
File created	C:\Windows\SysWOW64\6B0B7E94.DLL	6B0B7E94.EXE
File created	C:\Windows\SysWOW64\delme.bat	0b10c93a5ac7fd2e1f74fbd857010153.exe
File created	C:\Windows\SysWOW64\6B0B7E94.EXE	0b10c93a5ac7fd2e1f74fbd857010153.exe
File opened for modification	C:\Windows\SysWOW64\6B0B7E94.EXE	0b10c93a5ac7fd2e1f74fbd857010153.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
780	0b10c93a5ac7fd2e1f74fbd857010153.exe
2408	6B0B7E94.EXE
2408	6B0B7E94.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2120	780	0b10c93a5ac7fd2e1f74fbd857010153.exe	18
PID 780 wrote to memory of 2120	780	0b10c93a5ac7fd2e1f74fbd857010153.exe	18
PID 780 wrote to memory of 2120	780	0b10c93a5ac7fd2e1f74fbd857010153.exe	18
PID 780 wrote to memory of 2120	780	0b10c93a5ac7fd2e1f74fbd857010153.exe	18

C:\Users\Admin\AppData\Local\Temp\0b10c93a5ac7fd2e1f74fbd857010153.exe
"C:\Users\Admin\AppData\Local\Temp\0b10c93a5ac7fd2e1f74fbd857010153.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  PID:2120

C:\Windows\SysWOW64\6B0B7E94.EXE
C:\Windows\SysWOW64\6B0B7E94.EXE -p
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2408-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2408-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download