7d465be893cbaab0885d80b1b2f1fd1d939b0d2c73efdb183328eb09bb27a995

Analysis

max time kernel
162s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ef68d9225abd0e84ea349ea8a0e4761.exe
Size

9KB
MD5

0ef68d9225abd0e84ea349ea8a0e4761
SHA1

ebfe363e3bc720a968f9237e931d224492074daf
SHA256

7d465be893cbaab0885d80b1b2f1fd1d939b0d2c73efdb183328eb09bb27a995
SHA512

6bafc75753d23eaacfe199a304067d81cab61ae8ab180ac19447ed3648af13c922dd7a49ca516a9267087019f3c6c1a809d98502df2f6103947473a3e76ac760
SSDEEP

96:wY/lY40QSr+wiaswGhqbeHPNMwcvdOCZNJ/nBobCPRsc2OWeiYRmHVhzv0PZUySa:XYR+wywEqQMwR6JnRY6i5HnzmaTg

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	offeceok.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	0ef68d9225abd0e84ea349ea8a0e4761.exe
2640	0ef68d9225abd0e84ea349ea8a0e4761.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x0008000000012284-3.dat	upx
behavioral1/memory/2640-4-0x00000000002C0000-0x00000000002CE000-memory.dmp	upx
behavioral1/memory/2052-11-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2640-12-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\offeceok.exe	0ef68d9225abd0e84ea349ea8a0e4761.exe
File opened for modification	C:\Windows\SysWOW64\offeceok.exe	0ef68d9225abd0e84ea349ea8a0e4761.exe
File created	C:\Windows\SysWOW64\offeceo.dll	0ef68d9225abd0e84ea349ea8a0e4761.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2052	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	28
PID 2640 wrote to memory of 2052	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	28
PID 2640 wrote to memory of 2052	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	28
PID 2640 wrote to memory of 2052	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	28
PID 2640 wrote to memory of 2844	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	31
PID 2640 wrote to memory of 2844	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	31
PID 2640 wrote to memory of 2844	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	31
PID 2640 wrote to memory of 2844	2640	0ef68d9225abd0e84ea349ea8a0e4761.exe	31

C:\Users\Admin\AppData\Local\Temp\0ef68d9225abd0e84ea349ea8a0e4761.exe
"C:\Users\Admin\AppData\Local\Temp\0ef68d9225abd0e84ea349ea8a0e4761.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\offeceok.exe
  C:\Windows\system32\offeceok.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\0ef68d9225abd0e84ea349ea8a0e4761.exe.bat
  2⤵
  - Deletes itself
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ef68d9225abd0e84ea349ea8a0e4761.exe.bat

Filesize
182B

MD5
90b9d1b67f5f1bbbb1a267814c9d4e18

SHA1
441279061aa1f45b9890dc95844f9593e56f3b3b

SHA256
78e3f44e21885119f80887ff7ef2a65219520e91204985c5b7e29d8602aebaff

SHA512
3d39d7b29926f1c0e6e747bae567145fd1e4125e77352c2f2ee83156e5c8b29d0e6aabbe6723fdabd7a57a73851e7086356ed173e89b042ad354d02e986e75f8

Download Submit
\Windows\SysWOW64\offeceok.exe

Filesize
9KB

MD5
0ef68d9225abd0e84ea349ea8a0e4761

SHA1
ebfe363e3bc720a968f9237e931d224492074daf

SHA256
7d465be893cbaab0885d80b1b2f1fd1d939b0d2c73efdb183328eb09bb27a995

SHA512
6bafc75753d23eaacfe199a304067d81cab61ae8ab180ac19447ed3648af13c922dd7a49ca516a9267087019f3c6c1a809d98502df2f6103947473a3e76ac760

Download Submit
memory/2052-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2640-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2640-4-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2640-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download