8aeff21be87edb12c6d81caf8b905f4bc3164984973e265baee52d513d780748

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bb64eba8440f3225d2cfd833402cb30.exe
Size

291KB
MD5

3bb64eba8440f3225d2cfd833402cb30
SHA1

72d1b353926807ce0eb0522c191dd7c60cc2bd81
SHA256

8aeff21be87edb12c6d81caf8b905f4bc3164984973e265baee52d513d780748
SHA512

4b69b7a36ed6a600245e25e53f8617fe7a38d3363b462dcf7a7c1b66d006a50bcf95df16b9502d135b7068979f7650b81e72f819a1d74f1376247d2761a0da3b
SSDEEP

6144:JGK94QZVcjSIXT6JRoar658ZI7arNhReT3MLV+TJQ:4K95Vcjbr5SlrNhReTy3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	3bb64eba8440f3225d2cfd833402cb30.exe
1916	3bb64eba8440f3225d2cfd833402cb30.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemHost = "C:\\Windows\\Temp\\svchost.exe"	3bb64eba8440f3225d2cfd833402cb30.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2848	1916	3bb64eba8440f3225d2cfd833402cb30.exe	19
PID 1916 wrote to memory of 2848	1916	3bb64eba8440f3225d2cfd833402cb30.exe	19
PID 1916 wrote to memory of 2848	1916	3bb64eba8440f3225d2cfd833402cb30.exe	19
PID 1916 wrote to memory of 2848	1916	3bb64eba8440f3225d2cfd833402cb30.exe	19

C:\Users\Admin\AppData\Local\Temp\3bb64eba8440f3225d2cfd833402cb30.exe
"C:\Users\Admin\AppData\Local\Temp\3bb64eba8440f3225d2cfd833402cb30.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\Temp\svchost.exe
  C:\Windows\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\svchost.exe

Filesize
8KB

MD5
0205fb40d1c08ea902928d42aa9e30a4

SHA1
0343e8ddffa36b282be742b40a48a3e9828b781c

SHA256
3ba80640720801d8c1a9ee5d4c7e703cd7c7790e6441f3e0d8d4f762c8fe0140

SHA512
e93cc7eed11872ade1d003466c077b2f4a4d681d39b722728c786ab5c6ed414d459cf55e3f3a6f402451f231590398189113c11ed100b1d4ab15f15382351283

Download Submit
\Windows\Temp\svchost.exe

Filesize
21KB

MD5
b914a9c5cf5c97540d9b544ffcc9099a

SHA1
ce43789d5d793c74c287d18c5447685433adca0e

SHA256
93c1f915b24653b3d9b1c02eab83f2612d2e1ceb43a1a0e27738830727221175

SHA512
3b71aff5db3e114fca1a9c9ac3a54e9633b2521c7c9e0993bc9c8d913c9c8b87a7fd709d478769f751f538beda033d0df86427715872e16f8f5dd4edbf5b7d9d

Download Submit
\Windows\Temp\svchost.exe

Filesize
8KB

MD5
38c35ef7ae741448298e700943a141de

SHA1
7ea5020726a7a755f437481a7cb50524bb0eabd5

SHA256
4f37dc6293908df52fbfe296612b0c83995f9463538a5d0ad7c4ac0a9129b54a

SHA512
f365535bd1a5e20d418eb56051a5aea87eb5deaac34e56cb88032ab749cea96ed2acfff32840e08141538076315eef329fbec19950e6326a16c0aebbaa77cd18

Download Submit
memory/1916-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2848-18-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-19-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-20-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-21-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-23-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads