2ae504d0af0a704137b45ca565ea5f9f13f2c87e6a8b091ee9abe9b4b8f7e4e1

Analysis

max time kernel
123s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cbce195d61fc18b120c7da3bd4ebc41.exe
Size

148KB
MD5

0cbce195d61fc18b120c7da3bd4ebc41
SHA1

00d7a0b3d38c70c1f14556c30be0e92f4447d9fb
SHA256

2ae504d0af0a704137b45ca565ea5f9f13f2c87e6a8b091ee9abe9b4b8f7e4e1
SHA512

b951f269db5729bf598c7bc492a061109cc1889d5fc97e10e41f2e57c5fe4de9c5e800acb20b3f2bc31f5376c7312e50246722c321ac0eca9d2b39b0661829b0
SSDEEP

3072:/mirz3R1ie2b5fDxFhMOy9craBcbkVmcuXfP8axtxAZShHCEWyHkg0xynsRkzJiR:bDahMOy9craB2ariH8axtxAZShHCEWyI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1976	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2700	firewall.exe
2728	csrs.exe
2536	firewall.exe
2544	winamp.exe
896	spooIsv.exe

Loads dropped DLL 10 IoCs

pid	Process
1252	0cbce195d61fc18b120c7da3bd4ebc41.exe
1252	0cbce195d61fc18b120c7da3bd4ebc41.exe
2700	firewall.exe
2700	firewall.exe
2728	csrs.exe
2728	csrs.exe
2536	firewall.exe
2536	firewall.exe
2544	winamp.exe
2544	winamp.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrs.exe	firewall.exe
File created	C:\Windows\SysWOW64\firewall.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	0cbce195d61fc18b120c7da3bd4ebc41.exe
File created	C:\Windows\SysWOW64\dcpfrnv.bat	firewall.exe
File created	C:\Windows\SysWOW64\spooIsv.exe	winamp.exe
File created	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File created	C:\Windows\SysWOW64\wtpc.bat	winamp.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	firewall.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	csrs.exe
File created	C:\Windows\SysWOW64\stvv.bat	csrs.exe
File created	C:\Windows\SysWOW64\firewall.exe	0cbce195d61fc18b120c7da3bd4ebc41.exe
File created	C:\Windows\SysWOW64\fjuo.bat	firewall.exe
File opened for modification	C:\Windows\SysWOW64\spooIsv.exe	winamp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1976	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	28
PID 1252 wrote to memory of 1976	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	28
PID 1252 wrote to memory of 1976	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	28
PID 1252 wrote to memory of 1976	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	28
PID 1252 wrote to memory of 2700	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	30
PID 1252 wrote to memory of 2700	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	30
PID 1252 wrote to memory of 2700	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	30
PID 1252 wrote to memory of 2700	1252	0cbce195d61fc18b120c7da3bd4ebc41.exe	30
PID 2700 wrote to memory of 2956	2700	firewall.exe	32
PID 2700 wrote to memory of 2956	2700	firewall.exe	32
PID 2700 wrote to memory of 2956	2700	firewall.exe	32
PID 2700 wrote to memory of 2956	2700	firewall.exe	32
PID 2700 wrote to memory of 2728	2700	firewall.exe	33
PID 2700 wrote to memory of 2728	2700	firewall.exe	33
PID 2700 wrote to memory of 2728	2700	firewall.exe	33
PID 2700 wrote to memory of 2728	2700	firewall.exe	33
PID 2728 wrote to memory of 2532	2728	csrs.exe	35
PID 2728 wrote to memory of 2532	2728	csrs.exe	35
PID 2728 wrote to memory of 2532	2728	csrs.exe	35
PID 2728 wrote to memory of 2532	2728	csrs.exe	35
PID 2728 wrote to memory of 2536	2728	csrs.exe	36
PID 2728 wrote to memory of 2536	2728	csrs.exe	36
PID 2728 wrote to memory of 2536	2728	csrs.exe	36
PID 2728 wrote to memory of 2536	2728	csrs.exe	36
PID 2536 wrote to memory of 2432	2536	firewall.exe	39
PID 2536 wrote to memory of 2432	2536	firewall.exe	39
PID 2536 wrote to memory of 2432	2536	firewall.exe	39
PID 2536 wrote to memory of 2432	2536	firewall.exe	39
PID 2536 wrote to memory of 2544	2536	firewall.exe	38
PID 2536 wrote to memory of 2544	2536	firewall.exe	38
PID 2536 wrote to memory of 2544	2536	firewall.exe	38
PID 2536 wrote to memory of 2544	2536	firewall.exe	38
PID 2544 wrote to memory of 320	2544	winamp.exe	41
PID 2544 wrote to memory of 320	2544	winamp.exe	41
PID 2544 wrote to memory of 320	2544	winamp.exe	41
PID 2544 wrote to memory of 320	2544	winamp.exe	41
PID 2544 wrote to memory of 896	2544	winamp.exe	42
PID 2544 wrote to memory of 896	2544	winamp.exe	42
PID 2544 wrote to memory of 896	2544	winamp.exe	42
PID 2544 wrote to memory of 896	2544	winamp.exe	42

C:\Users\Admin\AppData\Local\Temp\0cbce195d61fc18b120c7da3bd4ebc41.exe
"C:\Users\Admin\AppData\Local\Temp\0cbce195d61fc18b120c7da3bd4ebc41.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mdudxz.bat" "
  2⤵
  - Deletes itself
  PID:1976
- C:\Windows\SysWOW64\firewall.exe
  C:\Windows\system32\firewall.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\dcpfrnv.bat" "
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\csrs.exe
    C:\Windows\system32\csrs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\stvv.bat" "
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\firewall.exe
      C:\Windows\system32\firewall.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\wtpc.bat" "
        6⤵
        
        PID:320
      - C:\Windows\SysWOW64\spooIsv.exe
        
        C:\Windows\system32\spooIsv.exe
        6⤵
        Executes dropped EXE
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\fjuo.bat" "
        5⤵
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mdudxz.bat

Filesize
200B

MD5
d93134a7859763f0596e786835e289e3

SHA1
d3d04616e4ead7c189b6b58b753bd4d4dc534829

SHA256
7e11ca25c9bcd24befaaf4b5cf038d73214f8315a69ca89d20bf4d411db88fbb

SHA512
db21bd59c258f58ba0c9390d755113588c3a81ae2f6563d2343a2cac20ff92458fc7dec66846955f0401cf18db2f4ca561106a3337bb86737199f4b5c7ad0fa5

Download Submit
C:\Windows\SysWOW64\csrs.exe

Filesize
70KB

MD5
7f760a13108098e3e6e79480f8ce1ca8

SHA1
7600a020cd894f410a7073b26066b98e2ed2a8ad

SHA256
918b24201372d8ff530baf4c785dc03e7ce853603eda1df4699f3a25ddd45421

SHA512
60f63f0ac87abfa26fae30a2c545724aa8ddaa2d12f58792abae9cb555dfcc465dc9e1590ff3b3e5edeb5f8220f5c5439eadc3efbe75232e9850d0d59e08c747

Download Submit
C:\Windows\SysWOW64\dcpfrnv.bat

Filesize
129B

MD5
d5d02a5a6a8702b15a294f822b94c273

SHA1
486f1d7582bd7e34bd6a1644732de263fa5b9bce

SHA256
9de1a4517c24950a21e1143eff70fc518adf4fe0b521c3e670889f69993db40e

SHA512
9d974e53c018d799be4c2a25d7705d4ec976164b45be91366f2cc0d34c2d86eec4ccf69ed4aa9524fb2184721d86f75090b4ed683d67b215fe8cb6b92873ff0c

Download Submit
C:\Windows\SysWOW64\fjuo.bat

Filesize
126B

MD5
bfb6ba6116417d9096d512d3a7ae04cf

SHA1
753cf13db62aa6c9ac444fe89f1421c0888cc074

SHA256
db16af92f889e1a2b97d983001f587542c6ca7eba886491530a1b7dfd56f129f

SHA512
3ca922516866be475e7a1bd0a1f5966f0d689afa99c4df7e17fef5f1131644c977d9ce3e0ad74b1048c6ffccb4690866db30818901d0d82490deb6f9966d9313

Download Submit
C:\Windows\SysWOW64\spooIsv.exe

Filesize
34KB

MD5
288a2d3c16ce9c9c1ad905d3b2b1b844

SHA1
d3792d9f56148a6ffbee02ffeda89e3a5468baad

SHA256
2bd0d681bcf8e1d66ffd7bfba7bcd92fbd58a09ec29a7662c3585012567dcadb

SHA512
e9a5f63e41b68948eb553777b426096b5b3add4cd82cdcd601f9f41be60631620f7fa1ff428c51e19cc97b336b162433c89b0394ede81d48e051f31650207553

Download Submit
C:\Windows\SysWOW64\stvv.bat

Filesize
114B

MD5
43b6476be021362efd5e81b2cd5b9b45

SHA1
3eec3e01bccbc31b6d2d3668abba387c07dc8e2b

SHA256
05645737ab8b14dfcd680ac1b8f3f77015aed804c38a066b6c1821d936e8668a

SHA512
442d17b33cb5cebb9911ead276c6e67a680cb7d45eb72605126c1e79c7fe93e6fbed1dcf6c4e158d73d8ceeffd23a7dfce0fd975218c4da6e636cb8f14323074

Download Submit
C:\Windows\SysWOW64\wtpc.bat

Filesize
120B

MD5
09bf5184062d3620911d240f49346298

SHA1
b1901adbe6fef12c7bc4031d4f3c52856510af57

SHA256
1b6c3fe5088ef4e8c18927df9c94dab175197b4081ba4eb79b663bb5db1fff17

SHA512
ea275a73473a1b4286cd4ece2abe77bff963495c819f5cc740556f90b75240466e6e3feb30cfd592113de1e8adfdd42db0fdf5beb3833006eed1a655cb86b1cf

Download Submit
\Windows\SysWOW64\csrs.exe

Filesize
142KB

MD5
c0827db5a3eedd6d66142444d9ff28f4

SHA1
216e898f704ed4378cf4dac2eff85959992aa6cc

SHA256
e77ed258ce039333f5eb375210ddd8786355408458651d786744689decaf02fd

SHA512
7b0af6d0e7d674378a9f164df90b383768a227f641061ae221cef601144a96e5fc77c0d491794492a9f33304c841bfa688c56b448498141419c7011e1bd1dab7

Download Submit
\Windows\SysWOW64\csrs.exe

Filesize
99KB

MD5
b626ff086fb2f7a5b2bb07a98505bd72

SHA1
b3e987e1493231515062e5d1cb97197a65af431b

SHA256
12e415dcca2e180f362e574dc8cad19c876c80c2858d00ad9002058312e7ced8

SHA512
888699f09bb945019a5533a0c52109a4fc198d320b2e3d9fbbe1daaee6077bcbc238f29d2f9ba3dc21a5ec761bca0a59371940988cade487090d32765867f9b9

Download Submit
\Windows\SysWOW64\firewall.exe

Filesize
148KB

MD5
0cbce195d61fc18b120c7da3bd4ebc41

SHA1
00d7a0b3d38c70c1f14556c30be0e92f4447d9fb

SHA256
2ae504d0af0a704137b45ca565ea5f9f13f2c87e6a8b091ee9abe9b4b8f7e4e1

SHA512
b951f269db5729bf598c7bc492a061109cc1889d5fc97e10e41f2e57c5fe4de9c5e800acb20b3f2bc31f5376c7312e50246722c321ac0eca9d2b39b0661829b0

Download Submit
\Windows\SysWOW64\spooIsv.exe

Filesize
21KB

MD5
13ae7b408a50822a9bae0cf6bd682848

SHA1
6e6e1a1b2ada54bf117313f7c00b22df99616836

SHA256
39bac069b36808bd53830297aa3783352379b95e2cf93d453d242dbb5316497e

SHA512
aef27d7b81ea9e2c36fae466b390fc172ada956ded8f130108dae847a7c666fc3119580ea4ea9114d762ac9e6c2c7235feab1b49b7db98d8791282935a1854d2

Download Submit
\Windows\SysWOW64\spooIsv.exe

Filesize
67KB

MD5
71454a367a5cb51c2ee0cf86ce58580f

SHA1
dbacb92ac1b2a7c19697963194daa64a451ab370

SHA256
0f640b5b72a98ee21c7407e13352a6bb2a4ba073bf29eaabeb62d5c777b5b744

SHA512
ee91da3b25caa86ed9b888dea8f1a72d6d9cd6b1d1def81282530989287d775064407c65d1068b37a3e10e18d94b4848f699dc0035d14f9040b48f8d5e1302b1

Download Submit
memory/896-116-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/1252-0-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/1252-115-0x0000000002CC0000-0x00000000031FC000-memory.dmp

Filesize
5.2MB

Download
memory/1252-21-0x0000000002CC0000-0x00000000031FC000-memory.dmp

Filesize
5.2MB

Download
memory/1252-19-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2536-86-0x0000000002B80000-0x00000000030BC000-memory.dmp

Filesize
5.2MB

Download
memory/2536-92-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2536-69-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2544-93-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2544-119-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2700-23-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2700-44-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2700-46-0x0000000002BC0000-0x00000000030FC000-memory.dmp

Filesize
5.2MB

Download
memory/2700-117-0x0000000002BC0000-0x00000000030FC000-memory.dmp

Filesize
5.2MB

Download
memory/2728-47-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download
memory/2728-118-0x0000000000400000-0x000000000093BD8C-memory.dmp

Filesize
5.2MB

Download