33dacf3f2f676d2c983c1599a2a98bf008afce4fa0903c7ab6850d60d3ea0a77

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a90d367a0c733d4bb077533e2ec986.exe
Size

308KB
MD5

41a90d367a0c733d4bb077533e2ec986
SHA1

6094a4d670ede89f62661eac1c992baa34f908f5
SHA256

33dacf3f2f676d2c983c1599a2a98bf008afce4fa0903c7ab6850d60d3ea0a77
SHA512

79b118db7989ad96bb942c0e7d7b590f897623f2bf90a81762afeb5aeba594e276e8d24c9efdfdad46ac07460cf5e8a30ba23edd374347335a64d46e3a1c8ed1
SSDEEP

3072:hhsXctIZgoekv2xxlbD5F+yU8aB1Jzy7ZcPqJdPfg:hhsXOIUkvkf5u8aMAqTPY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	vxiimh.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	cmd.exe
1760	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1760	1352	41a90d367a0c733d4bb077533e2ec986.exe	28
PID 1352 wrote to memory of 1760	1352	41a90d367a0c733d4bb077533e2ec986.exe	28
PID 1352 wrote to memory of 1760	1352	41a90d367a0c733d4bb077533e2ec986.exe	28
PID 1352 wrote to memory of 1760	1352	41a90d367a0c733d4bb077533e2ec986.exe	28
PID 1760 wrote to memory of 2532	1760	cmd.exe	30
PID 1760 wrote to memory of 2532	1760	cmd.exe	30
PID 1760 wrote to memory of 2532	1760	cmd.exe	30
PID 1760 wrote to memory of 2532	1760	cmd.exe	30
PID 1760 wrote to memory of 2992	1760	cmd.exe	31
PID 1760 wrote to memory of 2992	1760	cmd.exe	31
PID 1760 wrote to memory of 2992	1760	cmd.exe	31
PID 1760 wrote to memory of 2992	1760	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\41a90d367a0c733d4bb077533e2ec986.exe
"C:\Users\Admin\AppData\Local\Temp\41a90d367a0c733d4bb077533e2ec986.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jbuohil.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\vxiimh.exe
    "C:\Users\Admin\AppData\Local\Temp\vxiimh.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jbuohil.bat

Filesize
124B

MD5
e6b18dc845d9264e14d4b329cf473316

SHA1
61e2cb54ce70a5bb7b19ce61f6ab758569d8f23f

SHA256
e5dc687bc7ac51c9551ce96fc3ac90e6e5e6a6a67d557dd309fbc189e9988b4a

SHA512
bea37db53a2e84725edcba65bea80e92793397cf709e85a65361869ffa599765b69b026c75d4fe956c4580904b97d0d0f2804a3a87d443de407247b7c312c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxpoje.bat

Filesize
156B

MD5
ddcf5e2fd6cdd5e72859e8c94962e0a3

SHA1
899336d7c4d65850a23ee04211ba4d55c9c58e89

SHA256
fa913f077db1d51eb40ea271418cca66db559ca7c7522f071f180d3f7f50be8b

SHA512
b21fa6400587177535f92c0bf0c6930bdb72bc8bb56dd167873abb18a58a081f738e9eeb067b666b7cbc76724d13163fbabb4c423c7ce5096d90587dde956d8d

Download Submit
\Users\Admin\AppData\Local\Temp\vxiimh.exe

Filesize
184KB

MD5
fd8756f3d98e6866266fc5897ab54c2a

SHA1
acd855de70c94c3552f96d769ab529de14837064

SHA256
6b959773178b3e4e5350f91fd671577cf639da42ea77f624403d928cd421324d

SHA512
2fe3f84328033cb080d2c960604dc83305c20c3aede5e11f6635f362c2c1b8c58c74629c8e2e64682f56a003495c68882b869498ce21ff019c5629c38661fd39

Download Submit