1ea24803aec7be812001df5509285b29f3c963e1604c55b2957443212937f847

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f0c29b9cee60d6a40a0bfc2a942d11.exe
Size

414KB
MD5

20f0c29b9cee60d6a40a0bfc2a942d11
SHA1

682f1f99edb0e74b26f0f6fda255cce9e24c4211
SHA256

1ea24803aec7be812001df5509285b29f3c963e1604c55b2957443212937f847
SHA512

c7fe2e9323ce0160f691e1bb6ed74abf0f5355a241373ab48378f02b2a96afa7be08d840c8bec1e33195cef94f08c3b646abbd3b85fc2536bb2d71667452560b
SSDEEP

6144:r5CFwkrdy8ly0ZYv5b234BBWDoP1e6AqCJsaE+N8PVT5BcOsi:d+widyjEYv5b2IADoP15J4YBBr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	ebsaum.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe
2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{40C758C8-CEFB-AD4E-7138-F2B16CEAD1AC} = "C:\\Users\\Admin\\AppData\\Roaming\\Seiqvu\\ebsaum.exe"	ebsaum.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe
1976	ebsaum.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe
1976	ebsaum.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1976	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	28
PID 2296 wrote to memory of 1976	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	28
PID 2296 wrote to memory of 1976	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	28
PID 2296 wrote to memory of 1976	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	28
PID 1976 wrote to memory of 1076	1976	ebsaum.exe	11
PID 1976 wrote to memory of 1076	1976	ebsaum.exe	11
PID 1976 wrote to memory of 1076	1976	ebsaum.exe	11
PID 1976 wrote to memory of 1076	1976	ebsaum.exe	11
PID 1976 wrote to memory of 1076	1976	ebsaum.exe	11
PID 1976 wrote to memory of 1140	1976	ebsaum.exe	10
PID 1976 wrote to memory of 1140	1976	ebsaum.exe	10
PID 1976 wrote to memory of 1140	1976	ebsaum.exe	10
PID 1976 wrote to memory of 1140	1976	ebsaum.exe	10
PID 1976 wrote to memory of 1140	1976	ebsaum.exe	10
PID 1976 wrote to memory of 1196	1976	ebsaum.exe	8
PID 1976 wrote to memory of 1196	1976	ebsaum.exe	8
PID 1976 wrote to memory of 1196	1976	ebsaum.exe	8
PID 1976 wrote to memory of 1196	1976	ebsaum.exe	8
PID 1976 wrote to memory of 1196	1976	ebsaum.exe	8
PID 1976 wrote to memory of 1580	1976	ebsaum.exe	3
PID 1976 wrote to memory of 1580	1976	ebsaum.exe	3
PID 1976 wrote to memory of 1580	1976	ebsaum.exe	3
PID 1976 wrote to memory of 1580	1976	ebsaum.exe	3
PID 1976 wrote to memory of 1580	1976	ebsaum.exe	3
PID 1976 wrote to memory of 2296	1976	ebsaum.exe	16
PID 1976 wrote to memory of 2296	1976	ebsaum.exe	16
PID 1976 wrote to memory of 2296	1976	ebsaum.exe	16
PID 1976 wrote to memory of 2296	1976	ebsaum.exe	16
PID 1976 wrote to memory of 2296	1976	ebsaum.exe	16
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29
PID 2296 wrote to memory of 2452	2296	20f0c29b9cee60d6a40a0bfc2a942d11.exe	29

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\20f0c29b9cee60d6a40a0bfc2a942d11.exe
  "C:\Users\Admin\AppData\Local\Temp\20f0c29b9cee60d6a40a0bfc2a942d11.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Roaming\Seiqvu\ebsaum.exe
    "C:\Users\Admin\AppData\Roaming\Seiqvu\ebsaum.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp75ded9be.bat"
    3⤵
    - Deletes itself
    PID:2452

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1140

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Seiqvu\ebsaum.exe

Filesize
414KB

MD5
6f100e414620823fabd32b2f6c12294d

SHA1
6088b10f2dcfc70c373740477dfc0feabb9da87e

SHA256
a1f864471a444c675845ff2ff43289fff31803534d98d585cd00a9e3d8fd16b9

SHA512
d4ac533ba2ac6dd4f4ef6c3863f1ab15ddd6e8f4ce5985823cfae789c76d64f83e7e360f1d61565151aeb4dfdbb11b0fbe91e7a81c6100425d3cdfe92bfca048

Download Submit
memory/1076-21-0x0000000001F20000-0x0000000001F6C000-memory.dmp

Filesize
304KB

Download
memory/1076-20-0x0000000001F20000-0x0000000001F6C000-memory.dmp

Filesize
304KB

Download
memory/1076-16-0x0000000001F20000-0x0000000001F6C000-memory.dmp

Filesize
304KB

Download
memory/1076-17-0x0000000001F20000-0x0000000001F6C000-memory.dmp

Filesize
304KB

Download
memory/1076-19-0x0000000001F20000-0x0000000001F6C000-memory.dmp

Filesize
304KB

Download
memory/1140-30-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1140-28-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1140-26-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1140-24-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1196-36-0x00000000024C0000-0x000000000250C000-memory.dmp

Filesize
304KB

Download
memory/1196-33-0x00000000024C0000-0x000000000250C000-memory.dmp

Filesize
304KB

Download
memory/1196-34-0x00000000024C0000-0x000000000250C000-memory.dmp

Filesize
304KB

Download
memory/1196-35-0x00000000024C0000-0x000000000250C000-memory.dmp

Filesize
304KB

Download
memory/1580-38-0x0000000001B90000-0x0000000001BDC000-memory.dmp

Filesize
304KB

Download
memory/1580-40-0x0000000001B90000-0x0000000001BDC000-memory.dmp

Filesize
304KB

Download
memory/1580-41-0x0000000001B90000-0x0000000001BDC000-memory.dmp

Filesize
304KB

Download
memory/1580-39-0x0000000001B90000-0x0000000001BDC000-memory.dmp

Filesize
304KB

Download
memory/1976-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1976-15-0x0000000000350000-0x000000000039C000-memory.dmp

Filesize
304KB

Download
memory/1976-227-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-148-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-43-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-64-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-58-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-52-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-50-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-48-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-47-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-46-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-45-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-44-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2296-74-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-146-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/2296-147-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-0-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/2296-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-134-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2296-56-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2296-54-0x0000000001E20000-0x0000000001E6C000-memory.dmp

Filesize
304KB

Download
memory/2452-150-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2452-206-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2452-224-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2452-226-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download