41d216228b6d2f522f8355dfa132101164ab393b0d41628d71586a6c57f68d5d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e2c85e0700b63768abf2dfd2eb962e.exe
Size

484KB
MD5

56e2c85e0700b63768abf2dfd2eb962e
SHA1

6c3e0adee724759feddbd728b0113615eeb447a9
SHA256

41d216228b6d2f522f8355dfa132101164ab393b0d41628d71586a6c57f68d5d
SHA512

49e0cdf904ba7f90509ae4868382a5c4d8be0adbad7c37434aee09484830fd5b7a8dd43bcd49fb3e6eb85b5c9687422e74655ac51b2643c401b196967475f7ff
SSDEEP

6144:jTrMEr9QOjGgBb0obRncxoPjX+vuFYe7I5AkLVdVVljA+M9XJ:jfM09xjlyKRncxwOkYyXEZDA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	oxhebs.exe

Loads dropped DLL 3 IoCs

pid	Process
2280	cmd.exe
2280	cmd.exe
2620	oxhebs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2740	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3020	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe
2620	oxhebs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2280	1552	56e2c85e0700b63768abf2dfd2eb962e.exe	28
PID 1552 wrote to memory of 2280	1552	56e2c85e0700b63768abf2dfd2eb962e.exe	28
PID 1552 wrote to memory of 2280	1552	56e2c85e0700b63768abf2dfd2eb962e.exe	28
PID 1552 wrote to memory of 2280	1552	56e2c85e0700b63768abf2dfd2eb962e.exe	28
PID 2280 wrote to memory of 2740	2280	cmd.exe	30
PID 2280 wrote to memory of 2740	2280	cmd.exe	30
PID 2280 wrote to memory of 2740	2280	cmd.exe	30
PID 2280 wrote to memory of 2740	2280	cmd.exe	30
PID 2280 wrote to memory of 3020	2280	cmd.exe	32
PID 2280 wrote to memory of 3020	2280	cmd.exe	32
PID 2280 wrote to memory of 3020	2280	cmd.exe	32
PID 2280 wrote to memory of 3020	2280	cmd.exe	32
PID 2280 wrote to memory of 2620	2280	cmd.exe	33
PID 2280 wrote to memory of 2620	2280	cmd.exe	33
PID 2280 wrote to memory of 2620	2280	cmd.exe	33
PID 2280 wrote to memory of 2620	2280	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\56e2c85e0700b63768abf2dfd2eb962e.exe
"C:\Users\Admin\AppData\Local\Temp\56e2c85e0700b63768abf2dfd2eb962e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1552 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\56e2c85e0700b63768abf2dfd2eb962e.exe" & start C:\Users\Admin\AppData\Local\oxhebs.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 1552
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:3020
- - C:\Users\Admin\AppData\Local\oxhebs.exe
    C:\Users\Admin\AppData\Local\oxhebs.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\oxhebs.exe

Filesize
484KB

MD5
56e2c85e0700b63768abf2dfd2eb962e

SHA1
6c3e0adee724759feddbd728b0113615eeb447a9

SHA256
41d216228b6d2f522f8355dfa132101164ab393b0d41628d71586a6c57f68d5d

SHA512
49e0cdf904ba7f90509ae4868382a5c4d8be0adbad7c37434aee09484830fd5b7a8dd43bcd49fb3e6eb85b5c9687422e74655ac51b2643c401b196967475f7ff

Download Submit
memory/1552-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1552-1-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1552-2-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/1552-4-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-10-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2620-9-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-12-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-13-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-14-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-15-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-16-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-17-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-18-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2620-19-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download