47442c5eb7288045c7f563ae85be598ca5b23f28c3c5847e34427dcdf97702eb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541f15e3fba33c80185ea26d83a2965e.exe
Size

308KB
MD5

541f15e3fba33c80185ea26d83a2965e
SHA1

b7cbdb88a700ec602ce631d0ae7420b7d438e007
SHA256

47442c5eb7288045c7f563ae85be598ca5b23f28c3c5847e34427dcdf97702eb
SHA512

a242de3606bef0353d514ab536c69aee1430e72effefe371c20b77254415a6eb0151ce5261de4a7d0ec0e9c213404e1b6c6a78d184362bbe82a519d244f54450
SSDEEP

3072:sYMncAUg+goK24ecoNJKNNSf9cqNGqb4WG326a6FEBYR4udPfS:sYMnWg1yENNSl6qnGXtFE+R4cPa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	yajbcb.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	cmd.exe
2024	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2152	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2024	1716	541f15e3fba33c80185ea26d83a2965e.exe	17
PID 1716 wrote to memory of 2024	1716	541f15e3fba33c80185ea26d83a2965e.exe	17
PID 1716 wrote to memory of 2024	1716	541f15e3fba33c80185ea26d83a2965e.exe	17
PID 1716 wrote to memory of 2024	1716	541f15e3fba33c80185ea26d83a2965e.exe	17
PID 2024 wrote to memory of 2204	2024	cmd.exe	15
PID 2024 wrote to memory of 2204	2024	cmd.exe	15
PID 2024 wrote to memory of 2204	2024	cmd.exe	15
PID 2024 wrote to memory of 2204	2024	cmd.exe	15
PID 2024 wrote to memory of 2152	2024	cmd.exe	14
PID 2024 wrote to memory of 2152	2024	cmd.exe	14
PID 2024 wrote to memory of 2152	2024	cmd.exe	14
PID 2024 wrote to memory of 2152	2024	cmd.exe	14

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:2152

C:\Users\Admin\AppData\Local\Temp\yajbcb.exe
"C:\Users\Admin\AppData\Local\Temp\yajbcb.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vzwgscg.bat
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\541f15e3fba33c80185ea26d83a2965e.exe
"C:\Users\Admin\AppData\Local\Temp\541f15e3fba33c80185ea26d83a2965e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fhsefm.bat

Filesize
156B

MD5
621ff602ab5163621e45a64287489719

SHA1
5caab2d93875894daf407205d4b2aea09102357e

SHA256
c55f7da75f088d69a1f351619ba14e89b91b7548312fdaf640a2a23b39302435

SHA512
d3165f305f3fc18d448cb346ebf575de0e728cdc241b03b65240915082b82a6a6dac855e0201e4b691a40e742f536fc67ee8ab851b6aa36f487ce917b917aba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzwgscg.bat

Filesize
124B

MD5
5060e6ad8cb18c327fda825c5569b6de

SHA1
0779c0a69db39b3e80abe15b9cd2559fe60490fd

SHA256
983e32e3179df9cf513335a27be17012b9cadf008e7a51409b7261481671baa1

SHA512
6ef4459a000622657ed87fde1d67b204ea2e8b006918dad476c4ea43c77bfeaa3e21d07aa8fdad33c240ca5692d1d0d9d9a25b6ac0c6f40e983eeece6c229b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\yajbcb.exe

Filesize
85KB

MD5
375e7baf44d46b048a61f6b9c36bac76

SHA1
941a7a28b605b288ae7a04290331c1add4506b68

SHA256
56c6aeb81b091b99598cc84ef399b710656313ec32b2c98fc2b652865d445539

SHA512
2526ede4cbe38218bd106f3d28aa4e5caa3198ec6a7d4e5a418ce05c174cec41c69259e0d5166299c1ce7684cb1276a5e8ba1a8253ba6aff024b1580ba660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\yajbcb.exe

Filesize
115KB

MD5
77a93ff523c88c5a6ce15d16fa1a9d42

SHA1
0a61ba5d7d9ae91b6b7dcadda6c6b3cc62fb27ba

SHA256
ef391a329ad019e3d6930d974cc5bde06a42b38ee823b7d4077abe064e851f3f

SHA512
1b40d862c3a177ff952724c36177df1aeea1e3430869b5955734a83c795ee96cbe3a81c0a0c49f71bccf0cc1f2ba7bae0dbbfb6357f32fa6582c3c9976b49f2f

Download Submit
\Users\Admin\AppData\Local\Temp\yajbcb.exe

Filesize
165KB

MD5
14a7f6c37b8a7fb9ed71047cd9b67e86

SHA1
62c76a0b4e072550359786f0736efbfc4207b48a

SHA256
110ad3262fb0617ab3eb01d52f055b0ccd4903de63e382067bc86a7d54a03c5c

SHA512
532a097f0761744f50f15bcf7fc42c4fab3415499d3fbe0d52c9d222cdf2f6911ab7a99752b2ac9a2ebb913e30e47b04349b458241f2fe6f9a92425ba16f7ffc

Download Submit
\Users\Admin\AppData\Local\Temp\yajbcb.exe

Filesize
43KB

MD5
6bb7afefc536dbdc8b6649c6d552e650

SHA1
adabe96ef3479d7cb334e0b2beb39d8ff19a2ca4

SHA256
debc03f9937cbae1addcebb3f56d6f53a1c74f62425d2a409247b051f5d98311

SHA512
e3dd74202f317f5645d1ed3b1230208e6b334c72ae7e0c40b560b0c9899ebbab45fe8702de3d4b8215bdf5c3dd5fbb8b0301574fe235e8735257cdff9007489b

Download Submit