7c37bffc2c472899ba78dc4279c8824b21e0cdfde8bf52af39ca2cc084db539e

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d4a83426aef700371f3a9f48dbc87c.exe
Size

268KB
MD5

19d4a83426aef700371f3a9f48dbc87c
SHA1

b7adfd23a802bdfc09df8856e2e6b41d857fc80c
SHA256

7c37bffc2c472899ba78dc4279c8824b21e0cdfde8bf52af39ca2cc084db539e
SHA512

cb1bfccc29191b62dd8c86ce69865c6246d0530f3220b799e966b309fee290cd084a27e2ca9d683aa04c703322d4b7144131de6395a242cc74eae0a0edac5103
SSDEEP

3072:TcaV8chwvZoE4aEmp+vRQzHcdu3orMjRX74QjqVmxtddPf1:TcaV8uwHBEeRHcQ3lL9ZxtvP9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	qlhjus.exe

Loads dropped DLL 2 IoCs

pid	Process
2456	cmd.exe
2456	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2456	2572	19d4a83426aef700371f3a9f48dbc87c.exe	28
PID 2572 wrote to memory of 2456	2572	19d4a83426aef700371f3a9f48dbc87c.exe	28
PID 2572 wrote to memory of 2456	2572	19d4a83426aef700371f3a9f48dbc87c.exe	28
PID 2572 wrote to memory of 2456	2572	19d4a83426aef700371f3a9f48dbc87c.exe	28
PID 2456 wrote to memory of 2392	2456	cmd.exe	30
PID 2456 wrote to memory of 2392	2456	cmd.exe	30
PID 2456 wrote to memory of 2392	2456	cmd.exe	30
PID 2456 wrote to memory of 2392	2456	cmd.exe	30
PID 2456 wrote to memory of 2368	2456	cmd.exe	31
PID 2456 wrote to memory of 2368	2456	cmd.exe	31
PID 2456 wrote to memory of 2368	2456	cmd.exe	31
PID 2456 wrote to memory of 2368	2456	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\19d4a83426aef700371f3a9f48dbc87c.exe
"C:\Users\Admin\AppData\Local\Temp\19d4a83426aef700371f3a9f48dbc87c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\fskmvsz.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\qlhjus.exe
    "C:\Users\Admin\AppData\Local\Temp\qlhjus.exe"
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fskmvsz.bat

Filesize
124B

MD5
2d95104eec7772e697e20121e56e5758

SHA1
7c9a36f85066daa2ba5a55adaf23981ce552b1db

SHA256
8fcd37afa8d018ba047fa93058d82b55da45ef84a8435fdcccae6770164de0a9

SHA512
c9f465ea44904c24868a7f3a03f736ef7e05da9b433b7b480ae175eff7f839478a97968ffda6b68c272f879e713de239deb7dc763cef467d1f2da157e509ab6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvsmji.bat

Filesize
156B

MD5
5d24f9309967531273bf355fa44ef885

SHA1
a9aa766b882f432f4894d7d75e37b78dce6d5a50

SHA256
ffb952a6298d2e5d245899b4ff5ac690abe26081fa474dfcc8517ccba8da5886

SHA512
c304aa2011b9708191f1b19fa6973da2577f0c496520b18ee4d493bd908bd431229f6af81bd4235b39adc2a1bebaec0cb82013c153655899204c04a5ad1248b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlhjus.exe

Filesize
176KB

MD5
9aea21056c427c15bc00f60810e662d1

SHA1
eac784309843d858c7f1f5c302735beb365ad30c

SHA256
10ee828322a00f44e6efbf8cc0ad1868f4eabf1b838dbb576c5a9357e8a24605

SHA512
04a1d1f4976ed87b5a71a81b83fd375e3592ce360300211d265fd55d022b29a7887fdc912017c863afbe5d159a2ae920c914a0630bc0fb0d53d3375f1f242983

Download Submit