cc01b1e9f6bd47963c3fca0edb9e9d401563565acf8b8f69ab4b89f0b04db746

Analysis

max time kernel
2s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06843b08048a39e13172f76532a09b8a.exe
Size

83KB
MD5

06843b08048a39e13172f76532a09b8a
SHA1

881fcca09dcf4f95d62431cc64dc7418a7138f21
SHA256

cc01b1e9f6bd47963c3fca0edb9e9d401563565acf8b8f69ab4b89f0b04db746
SHA512

50e9dca0f09dc0440dedb534c12bcff252646a9e4c64088f798903d53abb4d5bb61c8e4f36cddbc105a165f7467f2c96d90efcfe847c43e95983da60082dcc67
SSDEEP

1536:ylAVv5BecCnHOZyYAhTMVg4I5NAhxZWgCGAeWJE/f/t6IHxRkWJi0erjsv4xeVA+:RB6OIYAhYS44NF0hLtFHxRkWJQrIQxeJ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2260	xwusuhzh.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	06843b08048a39e13172f76532a09b8a.exe
2112	06843b08048a39e13172f76532a09b8a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000622000-memory.dmp	upx
behavioral1/memory/2112-9-0x0000000003670000-0x0000000003892000-memory.dmp	upx
behavioral1/memory/2260-28-0x0000000000400000-0x0000000000622000-memory.dmp	upx
behavioral1/memory/2260-896-0x0000000000400000-0x0000000000622000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xwusuhzh.exe	06843b08048a39e13172f76532a09b8a.exe
File opened for modification	C:\Windows\SysWOW64\xwusuhzh.exe	06843b08048a39e13172f76532a09b8a.exe
File opened for modification	C:\Windows\SysWOW64\hljwugsf.bin	06843b08048a39e13172f76532a09b8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2112	06843b08048a39e13172f76532a09b8a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2260	2112	06843b08048a39e13172f76532a09b8a.exe	25
PID 2112 wrote to memory of 2260	2112	06843b08048a39e13172f76532a09b8a.exe	25
PID 2112 wrote to memory of 2260	2112	06843b08048a39e13172f76532a09b8a.exe	25
PID 2112 wrote to memory of 2260	2112	06843b08048a39e13172f76532a09b8a.exe	25
PID 2112 wrote to memory of 2836	2112	06843b08048a39e13172f76532a09b8a.exe	23
PID 2112 wrote to memory of 2836	2112	06843b08048a39e13172f76532a09b8a.exe	23
PID 2112 wrote to memory of 2836	2112	06843b08048a39e13172f76532a09b8a.exe	23
PID 2112 wrote to memory of 2836	2112	06843b08048a39e13172f76532a09b8a.exe	23

C:\Users\Admin\AppData\Local\Temp\06843b08048a39e13172f76532a09b8a.exe
"C:\Users\Admin\AppData\Local\Temp\06843b08048a39e13172f76532a09b8a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://mycashloads.com/newuser.php?saff=
  2⤵
  PID:2836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
    3⤵
    PID:2976
- C:\Windows\SysWOW64\xwusuhzh.exe
  "C:\Windows\system32\xwusuhzh.exe" start
  2⤵
  - Executes dropped EXE
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b65dcc82185d70fc0adddf459d0017c1

SHA1
a5d32da764da2d21abbb1b2a48fa405fa8891379

SHA256
40b0d98b5d98b971993f2e5db7210f22dc82abb6f92f4eac5899ac8fcc9511b0

SHA512
1159339c9087138ff010330eae6b3e2d8ae57c4baba3a8c8a0b787cf9a8a5790ab4db191e9310ba7d3d73f967cb1356f3cbe06e91335e22ec133904ba56f7881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de25cbc053110fd46b80a5823f91b908

SHA1
66774fe40d79330fa21dca1101b24920e5f79eee

SHA256
4a16d17aacc51c8832e8f8b05bb8f05fc451a5371b1d3c8a2f4227fc43fa9983

SHA512
7868a948f41f90bc46ac9b1580aef5438b41c0e46df8836c4299ca57d68a3679ceb2c01b42820c80bf3298036273cee876ebb95ca2b40d76a640879349b78edb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa8a51b30ac939873ff48801e088da07

SHA1
9bc61cdb9cf455409f01506113df802c5eee4e79

SHA256
f30ae5c71cc026634884335cf9490b8a3ca7203742df9dd7f732fa9fb7e4800c

SHA512
fd3bf920db064b5f026adb2f318adb229c3f6fed4c271acd259afddbf5940823012e749227a1e59f2012e5e9e04a31f7d77fb6f6faadcc8d3341f703386747a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7915d9ed94ba39b4effa75321dfa6a3e

SHA1
6d262e5187a359e05da1d545a7ce6a647d9bc3f9

SHA256
7deb9e28936da0ca28b1c82b2a9f912ec886a821a94ad2d6b64b83df8210492b

SHA512
593663c1e85497d569eafe73c5020ab1b9d4e8bdd80f600f096ed348834dfeadd33912dfef929d17b911c22f95ff3fbdd331356b3ea339830b46f8c771930a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75987db47c91c414b70f0616467270ce

SHA1
d1859f2127a5a4dd6d96febffff8a86812f61769

SHA256
70724be9870b2f0725761c201f97d1ab765d52cbf0aeb4519668d2fdd180fb37

SHA512
c2af58419a52995d81be25ec36e90bb8341a610ad0a430658f182971351298e96f0f53508fa0191c85449a90034e153eeb24e6594af1d1e91bcf4b2edefa12ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60cc6168c0b310e8ffe42bf7352c0b32

SHA1
a0e0b2824b20201f68f2421540d5c793a9741a5c

SHA256
7bbf57aebc7045e275fbd5351d4c995f2f7703fa7fda3d6ef46a4854ee3a6bb4

SHA512
658eb926ac4c986c84a4ee6479630d7f665aa4221847d48ba5f6bdbc7d710ed07b65ffbd4924a7ded001b1e563ba7512e8fbcf57d13677361c8785b81be7313b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d739674333ac345a5266a93fd5f5533

SHA1
392a9c056e6d1be55a068807793eb4fdde60bdcc

SHA256
f35165bdb144c489e537a0550ae2abf97986a89d5175abb035541c510c71cb68

SHA512
cafef273563df0f2d8b67bb1f7842a5b760b6d36e58dcc129b45d7a7218763fb21120799ad961fd448d3c79300c32b32a8458558c4d805bd174a455e39e03e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC16.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7A0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2112-7-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2112-9-0x0000000003670000-0x0000000003892000-memory.dmp

Filesize
2.1MB

Download
memory/2112-16-0x0000000003670000-0x0000000003892000-memory.dmp

Filesize
2.1MB

Download
memory/2112-21-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2112-23-0x0000000002860000-0x000000000286D000-memory.dmp

Filesize
52KB

Download
memory/2260-28-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-461-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-460-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-459-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-396-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-29-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-20-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-786-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-895-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-896-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-897-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-898-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-899-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-900-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2260-901-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download