56b4f307126f78e16ac2ad2e4044de61cb207864bf194ba6702108cb65475369

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BayROB.exe
Size

503KB
MD5

8bc0446144142c51570da1920f2da8c1
SHA1

83c1b3ed58693f9ce5cbb710a709f23e65bff10a
SHA256

56b4f307126f78e16ac2ad2e4044de61cb207864bf194ba6702108cb65475369
SHA512

f7b747153611e183fafda84655fa4770dc6e86549484adabb88ff61b09dacc681e1696450134194323aee103e56a2931736a55f02db4afa51600df10722c9ade
SSDEEP

12288:TkREw6Rd3R2RtnRjjErWlQfNT3Dc8mLpp:Ikd3qnRXHlO53Dc8Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2400	rtg4ag5p8mbqoy5rffi.exe
2824	feyrckaqunib.exe
2680	zpneeqf.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	BayROB.exe
1964	BayROB.exe
2400	rtg4ag5p8mbqoy5rffi.exe
2400	rtg4ag5p8mbqoy5rffi.exe
2824	feyrckaqunib.exe
2824	feyrckaqunib.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\dtwpxdpbhazfxll\mgdxjexf	zpneeqf.exe
File created	C:\Windows\dtwpxdpbhazfxll\mgdxjexf	BayROB.exe
File created	C:\Windows\dtwpxdpbhazfxll\mgdxjexf	rtg4ag5p8mbqoy5rffi.exe
File created	C:\Windows\dtwpxdpbhazfxll\mgdxjexf	feyrckaqunib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	feyrckaqunib.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe
2680	zpneeqf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2400	1964	BayROB.exe	16
PID 1964 wrote to memory of 2400	1964	BayROB.exe	16
PID 1964 wrote to memory of 2400	1964	BayROB.exe	16
PID 1964 wrote to memory of 2400	1964	BayROB.exe	16
PID 2400 wrote to memory of 2824	2400	rtg4ag5p8mbqoy5rffi.exe	30
PID 2400 wrote to memory of 2824	2400	rtg4ag5p8mbqoy5rffi.exe	30
PID 2400 wrote to memory of 2824	2400	rtg4ag5p8mbqoy5rffi.exe	30
PID 2400 wrote to memory of 2824	2400	rtg4ag5p8mbqoy5rffi.exe	30
PID 2824 wrote to memory of 2680	2824	feyrckaqunib.exe	29
PID 2824 wrote to memory of 2680	2824	feyrckaqunib.exe	29
PID 2824 wrote to memory of 2680	2824	feyrckaqunib.exe	29
PID 2824 wrote to memory of 2680	2824	feyrckaqunib.exe	29

C:\Users\Admin\AppData\Local\Temp\BayROB.exe
"C:\Users\Admin\AppData\Local\Temp\BayROB.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe
  "C:\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\dtwpxdpbhazfxll\feyrckaqunib.exe
    "C:\dtwpxdpbhazfxll\feyrckaqunib.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824

C:\dtwpxdpbhazfxll\zpneeqf.exe
brpxpubz2l6g "c:\dtwpxdpbhazfxll\feyrckaqunib.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dtwpxdpbhazfxll\mgdxjexf

Filesize
11B

MD5
47a16e63ff033d80e2e74712e2fa15aa

SHA1
7c1c8bdb1ce9d56f2f8f65293dcdb5bc610e5c8b

SHA256
cb162ee43011685063f57ef2ed7b7fd997e45121413a569a724d4eb0d38d13bc

SHA512
296e6770418461e09c18bb11e3706268c5008d9efbbacdb7d8370c3853916efd55e1e8a1a3b70fefb244efcaab1e7368f8d3ee0292347b4e3ca9e02e5f7bc6a4

Download Submit
C:\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe

Filesize
13KB

MD5
e3f63e5997ebd0a8184200f12cdebb68

SHA1
1409b2e5fe1c51af5b217676a6518c493fac4f14

SHA256
89ceface9508f188fabd8cb7fef944ee8add9c9d7ee7644168248b1d386f428e

SHA512
af9f13f75ad802b2b71aab76b576a80b7cafe81da6836f8f57e3983ad65180f3939dbe35d180ba5b18470891c944a3d3624552abc0e47fdb17f46f2b645015f5

Download Submit
C:\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe

Filesize
10KB

MD5
8a2eec02c7f5290118ee07f722ad5630

SHA1
8fbc9cd0770343247d6d6f38a134ebe90f5ccfc6

SHA256
14526e5818676d0bd1186f50c050e0c8071930cad269ac7df5859477e0868c7f

SHA512
da245771fc06c989d6d5123760ff6f82830c15569d87dac9867351de813517f4301c99365cad4080624932b7788aaf39da18228f25bdc64005288af6e2e7fa21

Download Submit
\??\c:\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe

Filesize
15KB

MD5
dea2b745e57ce7c086073cd974669639

SHA1
a6684e789eb92522f561772e54c90d53713308cc

SHA256
667223d06b200a345409bedd8a2c4590bf3550251f58da958198f0620d96cbd2

SHA512
fb6bfebcc2771c1b1ca9522d4e56dc5b2d5a6d47fd9bf49de7c8bf18fdbce9f81538d071e16075f32335160dccb310aeb955b42f1e1a941a0551a010a67aa80f

Download Submit
\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe

Filesize
1KB

MD5
9275a85b00e743912be3aef3e6531651

SHA1
f21fad586dcaae35d8377537d536587affe4914d

SHA256
78d219f51c1d4db0a356aabcd0ceb7a195d923e7cc977b448fa5e13191e3dbe5

SHA512
c333076cf2c7e4ce066ae0b2dafdafaefd9efaca4054913c03d0911e0358f6dfd8f32214654bb03daefdfba4f4ac001eb27edb006ed3bdcc77b302d4167f26f9

Download Submit
\dtwpxdpbhazfxll\rtg4ag5p8mbqoy5rffi.exe

Filesize
17KB

MD5
71f02a8999c2332415b613d1ad13c845

SHA1
7979a5a3173ed0850c2b025d53b35fb59ffdc43a

SHA256
bf330cc453e67f1341748c5474b4e7bac0ec8c1e5f5317e83db23ea0ce0596ef

SHA512
40c1a92641f6ca8d6ed0967cf9e31ea08552dc72eb6e99ef42e50f4bf1e7ac25dbadc6b4e4e55fec9d78065967a990d5f8aa71712826fd6aac9d7311372d1930

Download Submit