84d5a89098e572c70875eb34b8b1e1afec6d62a9479087a324aa9935d67792d1

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd7be06304eeef29f283a6831f266eb.exe
Size

521KB
MD5

0dd7be06304eeef29f283a6831f266eb
SHA1

63d30c952f5d67fa471755b1730ecd65f85f752e
SHA256

84d5a89098e572c70875eb34b8b1e1afec6d62a9479087a324aa9935d67792d1
SHA512

3c046d38473d6e8d7ee5434a5b11c4cbca5764de004574fb4737c5a4a51e48ac5e02065ecb8b734fbdf3679d7af0952ecad7324dea909f251e0c3cdc4cfafcb0
SSDEEP

12288:b79WjXvHsLll59YOBrzkr51us7TPyF9j8bx7B:b79nB9vR+r7jiFU7B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	InstallIme.exe

Loads dropped DLL 6 IoCs

pid	Process
2756	cmd.exe
2816	InstallIme.exe
2816	InstallIme.exe
2816	InstallIme.exe
2816	InstallIme.exe
2816	InstallIme.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Winabc.cwd	0dd7be06304eeef29f283a6831f266eb.exe
File created	C:\Windows\SysWOW64\Winabc.ovl	0dd7be06304eeef29f283a6831f266eb.exe
File created	C:\Windows\SysWOW64\Winabc.cwd	0dd7be06304eeef29f283a6831f266eb.exe
File created	C:\Windows\SysWOW64\winabc.ime	0dd7be06304eeef29f283a6831f266eb.exe
File opened for modification	C:\Windows\SysWOW64\winabc.ime	0dd7be06304eeef29f283a6831f266eb.exe
File opened for modification	C:\Windows\SysWOW64\Winabc.ovl	0dd7be06304eeef29f283a6831f266eb.exe
File created	C:\Windows\SysWOW64\InstallIme.exe	0dd7be06304eeef29f283a6831f266eb.exe
File opened for modification	C:\Windows\SysWOW64\InstallIme.exe	0dd7be06304eeef29f283a6831f266eb.exe
File created	C:\Windows\SysWOW64\abc.bat	0dd7be06304eeef29f283a6831f266eb.exe
File opened for modification	C:\Windows\SysWOW64\abc.bat	0dd7be06304eeef29f283a6831f266eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2756	1340	0dd7be06304eeef29f283a6831f266eb.exe	28
PID 1340 wrote to memory of 2756	1340	0dd7be06304eeef29f283a6831f266eb.exe	28
PID 1340 wrote to memory of 2756	1340	0dd7be06304eeef29f283a6831f266eb.exe	28
PID 1340 wrote to memory of 2756	1340	0dd7be06304eeef29f283a6831f266eb.exe	28
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30
PID 2756 wrote to memory of 2816	2756	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\0dd7be06304eeef29f283a6831f266eb.exe
"C:\Users\Admin\AppData\Local\Temp\0dd7be06304eeef29f283a6831f266eb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\System32\abc.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\InstallIme.exe
    InstallIme.exe WinABC.ime ╓╟─▄ABC
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\InstallIme.exe

Filesize
13KB

MD5
dbc380afd5b811dd18159109ff8011a0

SHA1
5659063c172c1ac024533bbc395d757343c7a9e8

SHA256
0382ce9fd4f9ef7c7f7070f2ffb1c2f004611f6d4af23e3cdfef2fd2d2b47c2b

SHA512
103c369295fb0fda548041ed4028447f65f266d671b94ec888abe610a6e9b15f713f85fb90240156abe7bb0309d578d0db23df38ae28f5a17275e0ea6f5be6ce

Download Submit
C:\Windows\SysWOW64\WinABC.ime

Filesize
161KB

MD5
f0536dc3882a9692de51f996a799b986

SHA1
d504e2e96083bb2b4d38b9da56a093b60f2607ef

SHA256
1f33f3dc7b19f2e316738f7be5547ad087b79b4615ebafa66b8cdd88894fdfda

SHA512
67a8ee246983d3ad42e1f58d7f8d16781cc902dad242913b922fd2b63cdee2d228c68e7245370e56f756173d056dfe6266d0462262e3ee2095f65e7769255f20

Download Submit
C:\Windows\SysWOW64\abc.bat

Filesize
33B

MD5
b76965645c5148231a785f48a5077c9b

SHA1
03363d157657324aed0a873b1ae76960af648c00

SHA256
20c15159c70c3807597ac0f9f08937f0402f51eda155f90db462af9e7b40f9d2

SHA512
2ec05d1efc0c582a14657bafe1bc04474831beebfbafba39eecc58a409fccf13835662778abd55a513dcd5b18022ea8bc4d5d8fd24982d060242d7a8f80450d5

Download Submit
memory/2816-24-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download