e0de2bf7ad756a7b789a65d240b5959010d1939c3bf539a9b44e80a6e94e3d06

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d48a33cf2f03f6cd60e1b12c030c988.exe
Size

239KB
MD5

4d48a33cf2f03f6cd60e1b12c030c988
SHA1

24234fc890d9445f0b09148d93f19a76780c539e
SHA256

e0de2bf7ad756a7b789a65d240b5959010d1939c3bf539a9b44e80a6e94e3d06
SHA512

231c1d9cf3852709696b754476ec74f69935c1f271c9435f5da086f1d807b07635f3c0291e27e45f164cb8a872a6ea204f6d2b5a658a98bd4ee2e828aad9693a
SSDEEP

6144:yxR68/5lVxIMAGLXnul89Mh5rp8x9u4mJgoUe3Ie43YP:ylBlHtAM+cM7q3uFIelP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	RemoteAxbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2776	2440	RemoteAxbc.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemoteAxbc.exe	4d48a33cf2f03f6cd60e1b12c030c988.exe
File opened for modification	C:\Windows\RemoteAxbc.exe	4d48a33cf2f03f6cd60e1b12c030c988.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 2440 wrote to memory of 2776	2440	RemoteAxbc.exe	31
PID 1672 wrote to memory of 2672	1672	4d48a33cf2f03f6cd60e1b12c030c988.exe	30
PID 1672 wrote to memory of 2672	1672	4d48a33cf2f03f6cd60e1b12c030c988.exe	30
PID 1672 wrote to memory of 2672	1672	4d48a33cf2f03f6cd60e1b12c030c988.exe	30
PID 1672 wrote to memory of 2672	1672	4d48a33cf2f03f6cd60e1b12c030c988.exe	30

C:\Users\Admin\AppData\Local\Temp\4d48a33cf2f03f6cd60e1b12c030c988.exe
"C:\Users\Admin\AppData\Local\Temp\4d48a33cf2f03f6cd60e1b12c030c988.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8290.bat
  2⤵
  - Deletes itself
  PID:2672

C:\Windows\RemoteAxbc.exe
C:\Windows\RemoteAxbc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 60928
  2⤵
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8290.bat

Filesize
190B

MD5
d613741e654b65b68bfb183904124e8d

SHA1
9f08634d801ff3c09d6de97d343d8d1b8bb9d4b5

SHA256
50bb0a019cd11dabf855b86dd9ab6d497c9d96a02f7ee37e5316c017b3ace524

SHA512
5d615707106a148b9b62544038c80b58e3b8d5486e2756da7fc9307fa1b34d9bedf7aa25b34930ceb49109229b37bf17a404df5bc21d3506b24f56f6a8232518

Download Submit
C:\Windows\RemoteAxbc.exe

Filesize
99KB

MD5
244e5ef1f45baaeff49dbd94fd89693f

SHA1
b4351d59d067803d9f6caa576f5b06e65a8b6121

SHA256
ee0baaf35f1e8d315e850eace732ea247f17c08a6ae15f387a9991207c0ed6c8

SHA512
00bd18b800e6ff011ea5b9640157083795ba74d450386cd8d0c9cd12404300489615cc9dbe912e80c2447db78af44572e6d4c737ab863cae6dcc3921d0a1b9ce

Download Submit
C:\Windows\RemoteAxbc.exe

Filesize
52KB

MD5
1761c021384ac018549b262e9a2f2867

SHA1
2c360ebe2a695f6d0a6a8b7cd0b119637c44894c

SHA256
b6d2116cdc453d0cb120802a2750153522bca1c397317805348b2041bde1dccf

SHA512
298ac2be11ecf8253413efe5543f87ab918fd6a288478811b5b1810e7e2a5d0d70ad1540fc7ebaabe8a72e305ff6cb0adc15b8b305b454c0f50f06cbc9f91ec0

Download Submit
memory/1672-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1672-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1672-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1672-17-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2440-5-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2440-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2440-19-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2776-15-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download