6dc67e911889b91fe2c5a58b719193b90b8f491997e1a89b58f06495d1908091

Analysis

max time kernel
9s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

239918b0fbfe3c0533efeabe3ab38e80.exe
Size

110KB
MD5

239918b0fbfe3c0533efeabe3ab38e80
SHA1

2e4888fcc5e3f4d536e4408e4147c2b123b5c5f9
SHA256

6dc67e911889b91fe2c5a58b719193b90b8f491997e1a89b58f06495d1908091
SHA512

5fcafe79a57c0d6bce66bd95de8482749ae9ae198a2afc0302cb93e8a12dccc51f5fd468ae3adf3daec99c96782c110df3a82f2bb30dbe031c72c89632db68ad
SSDEEP

1536:33KwIU4VH7qfUKU5nY2RduEw5miXdOxBguYm4goGHxyBw8JG3d0o7cLy1eK/y+7H:ZIUKZE2buEwAOYxBGndGHxd/Hx1zaoB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	svchosts.exe

Loads dropped DLL 5 IoCs

pid	Process
2288	239918b0fbfe3c0533efeabe3ab38e80.exe
2740	svchosts.exe
2740	svchosts.exe
2740	svchosts.exe
2740	svchosts.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\sppdcrs080524.scr	239918b0fbfe3c0533efeabe3ab38e80.exe
File created	C:\Windows\SysWOW64\mdbbccasys32_080524.dll	239918b0fbfe3c0533efeabe3ab38e80.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080524.dll	239918b0fbfe3c0533efeabe3ab38e80.exe
File created	C:\Windows\SysWOW64\lwfdfia16_080524.dll	239918b0fbfe3c0533efeabe3ab38e80.exe
File created	C:\Windows\SysWOW64\inf\svchosts.exe	239918b0fbfe3c0533efeabe3ab38e80.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosts.exe	239918b0fbfe3c0533efeabe3ab38e80.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	239918b0fbfe3c0533efeabe3ab38e80.exe
File created	C:\Windows\system\sgcxcxxaspf080524.exe	239918b0fbfe3c0533efeabe3ab38e80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2288	239918b0fbfe3c0533efeabe3ab38e80.exe
2288	239918b0fbfe3c0533efeabe3ab38e80.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	239918b0fbfe3c0533efeabe3ab38e80.exe
Token: SeDebugPrivilege	2288	239918b0fbfe3c0533efeabe3ab38e80.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2740	2288	239918b0fbfe3c0533efeabe3ab38e80.exe	28
PID 2288 wrote to memory of 2740	2288	239918b0fbfe3c0533efeabe3ab38e80.exe	28
PID 2288 wrote to memory of 2740	2288	239918b0fbfe3c0533efeabe3ab38e80.exe	28
PID 2288 wrote to memory of 2740	2288	239918b0fbfe3c0533efeabe3ab38e80.exe	28

C:\Users\Admin\AppData\Local\Temp\239918b0fbfe3c0533efeabe3ab38e80.exe
"C:\Users\Admin\AppData\Local\Temp\239918b0fbfe3c0533efeabe3ab38e80.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\inf\svchosts.exe
  "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080524.dll tanlt88
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    PID:744

C:\Windows\system\sgcxcxxaspf080524.exe
"C:\Windows\system\sgcxcxxaspf080524.exe" i
1⤵
PID:1600

C:\Windows\system\sgcxcxxaspf080524.exe
"C:\Windows\system\sgcxcxxaspf080524.exe" i
1⤵
PID:588
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:644
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
    3⤵
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4EED.tmp

Filesize
30KB

MD5
c200a0fea36f5479cdc079cceddccb73

SHA1
b83524b7710c6977cfceac7682dfe9587c74ccd8

SHA256
f0a86acef928c2273ec03806dab425f3ad0b6c9bd363c9318937e15da7191727

SHA512
a51b72d18d88b62b5dc5a6478bdd10ca77e90c5961c5f10d4f7a56aacdc895bb30fe0ee889a14cf00171c4a0556691c66115793301bd41de0e0e6fb95b8a9cb1

Download Submit
C:\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\pwisys.ini

Filesize
414B

MD5
fd083048a8cec89d237918e92f96784e

SHA1
104b23a9943cd2f74eabd5e8df0628d246c3857f

SHA256
1513fedb387080f469c025922c6b2b2e9c8a06069b56faa311e899d6ebb1b755

SHA512
ce6ebc8a60fee5562f2e8f82123af849520e082bdd788f0ea6d132dfa4d60ddde417dab60134ed9d5065936e6ef9cb25cf09e89901acb2cd16e9f4bdde03a12d

Download Submit
C:\Windows\pwisys.ini

Filesize
447B

MD5
675bd5b520aaa08937d253dc723aeb5b

SHA1
504c830583b1578a21d5e3c2d471a5153e31b5a7

SHA256
4f31953ecc05911304a0066704ac809af295be182ecba756581d57658d86e223

SHA512
04943b51f2172218b7516c186035fe5fd8cf56499f3840bad8fa94aabd8f542abd18cd811d0efbcd4692b5cde4871df1e4e97cb59443798db904a23f22d7c560

Download Submit
C:\Windows\pwisys.ini

Filesize
474B

MD5
302be3a990605e6d14c40c48aa3a1e61

SHA1
13a62d3e71c0924d6a744e29200e57f123b3d29e

SHA256
90f6239be767aacf277b595bbe0627854be7d8a3675310493f342870178f3576

SHA512
a48c9ab67e58123e308854a91f82c0cfeb7a958647caad9f4714bc29b589dbebb2021e423482910d2cafc4ce561648cbdf3b24011da536518735ec835adeeebb

Download Submit
C:\Windows\system\sgcxcxxaspf080524.exe

Filesize
7KB

MD5
1cbab10d3fdbeebf33edfac61d31f96f

SHA1
5c267e51820622ca1bf351d3b8a21880917f3c22

SHA256
19f38ae5b5dd270152e77ffe1eb2bb1670c14c0cd8d5fb2e25e8951091269c61

SHA512
e461de7d47cd1e69e3bbee218b1b8bbcf4941d4f797d05b34b9a3a135a8eee2f1b18e309369f85d2a515366e26a4a4479b1460e7b6c16c131a72be136eeede99

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
eb2f5dc6301407527c05e3d4353b0f0c

SHA1
bc555d826341ab4b5b4704e3276e195325317b6d

SHA256
d5348c5dcb991966a942758a8234ab6445c4a687d347095b1382b4fa1f2f534c

SHA512
5c58e5f8c97394350d3da6607792707716cd2dc7196eabdd18a6172f572a0722a08d042ed2d1846dc212cdf085724ef4f28e7786c12e8c2347b1b30c0794624d

Download Submit
\Windows\SysWOW64\lwfdfia16_080524.dll

Filesize
30KB

MD5
513706bb78cc32b4b66f990f7f8bfb7c

SHA1
d4cd418910d6836fda76b98ae05a4a50cdc3486a

SHA256
d50abd3c754ecff4f6ead59a9ce8a9eeef4e98b74085c1d12d04dc5f46f13ff8

SHA512
a95c2a77d2feddef52393f07c092ee13c8938a67f52cafbd580a78fc403f6edcb79837022a583facace06f78d0d1c99634ae4da8f849bb9bd7d154fd0cce3205

Download Submit
\Windows\SysWOW64\lwfdfia16_080524.dll

Filesize
11KB

MD5
c982dad06a61d0ca82cc72f6a4286965

SHA1
2e285b6da81af87dd66136e452c4914219b5dd96

SHA256
d298153010e78862c5143bc7cfbc42f5e0651c522e511a5c15ef9d5d906a6f18

SHA512
2ba34bdb6de870208e5ccd9b50dc3d865cc4a8a4d6c9299e70ce911252b6882e4a0217ba4c22f77aa8f4356a79f404ae000406170823b273703b441801e06a76

Download Submit
\Windows\system\sgcxcxxaspf080524.exe

Filesize
5KB

MD5
958f77bbf145630e258cc6f2c8de2535

SHA1
4882aafa1c3b472c9c301ae80b3e064929faa5bc

SHA256
ea80791cd6cdd1b0cde3b2286cac26a190df1084bd7e8662dde25a850eae8676

SHA512
a024a5930ee27d8ae12b150421db95fc0aae53e7061c6bdce0142c40af891f005a72e19c9d2a553d858ec44aad2c2bf3f828d4241c51a318446d51e5575f6f95

Download Submit
memory/2740-70-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/2740-78-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/2740-95-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/2740-52-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download