3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6babdc42d3e27d6217f91c38850c5b.exe
Size

553KB
MD5

0d6babdc42d3e27d6217f91c38850c5b
SHA1

a20d9a4dbb1063933a1d90e690a0c197689d60d8
SHA256

3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4
SHA512

0d5f714698bda599bb0a2bdd105c5e4053675235546ca7050803c7e12fc6be15429ec5f4c58761ba1c816a70b336a20f8514330b8f12d6118a14803caf6f3eb7
SSDEEP

12288:gC8LZQFsWRK5l4NAK3pgopObii41xsxlj62:wnWRK5l4NX3pD6iiSQj/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	RemoteAbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2716	2856	RemoteAbc.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemoteAbc.exe	0d6babdc42d3e27d6217f91c38850c5b.exe
File created	C:\Windows\RemoteAbc.exe	0d6babdc42d3e27d6217f91c38850c5b.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2812	1992	0d6babdc42d3e27d6217f91c38850c5b.exe	29
PID 1992 wrote to memory of 2812	1992	0d6babdc42d3e27d6217f91c38850c5b.exe	29
PID 1992 wrote to memory of 2812	1992	0d6babdc42d3e27d6217f91c38850c5b.exe	29
PID 1992 wrote to memory of 2812	1992	0d6babdc42d3e27d6217f91c38850c5b.exe	29
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31
PID 2856 wrote to memory of 2716	2856	RemoteAbc.exe	31

C:\Users\Admin\AppData\Local\Temp\0d6babdc42d3e27d6217f91c38850c5b.exe
"C:\Users\Admin\AppData\Local\Temp\0d6babdc42d3e27d6217f91c38850c5b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\4274.bat
  2⤵
  - Deletes itself
  PID:2812

C:\Windows\RemoteAbc.exe
C:\Windows\RemoteAbc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" 852
  2⤵
  PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4274.bat

Filesize
198B

MD5
f9dff48a9b36ed3b8c12d3c71af3f603

SHA1
455d1d9a6b629621d584e7bc5334a536a1e7f2d5

SHA256
5c3de06c51ed0bd00bade20684db990a21e27ba52e062d11c40a12f9b628587a

SHA512
d04447754d0ca31da9afabd451c5c7f4ed1cbb0c8061ee88624a0e606e0e508e38ca0cf6d4f8fde65b1ff479633f8f11b17881c7793126bed83f4e340b8e7166

Download Submit
C:\Windows\RemoteAbc.exe

Filesize
553KB

MD5
0d6babdc42d3e27d6217f91c38850c5b

SHA1
a20d9a4dbb1063933a1d90e690a0c197689d60d8

SHA256
3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4

SHA512
0d5f714698bda599bb0a2bdd105c5e4053675235546ca7050803c7e12fc6be15429ec5f4c58761ba1c816a70b336a20f8514330b8f12d6118a14803caf6f3eb7

Download Submit
memory/1992-0-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/1992-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-16-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/2716-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2716-22-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2856-6-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/2856-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2856-24-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download