df3b33e6cec4fa8a86bfd8bbab94743322f84a24bd1b0e626c352cb97bc717d2

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
Size

2.7MB
MD5

58b8bb8708a1f5ae86f2f4b95a4b0b5d
SHA1

cbefe83b9e62e9efda12989c4e3796d8bcdcf5c5
SHA256

df3b33e6cec4fa8a86bfd8bbab94743322f84a24bd1b0e626c352cb97bc717d2
SHA512

4728c16e09cb8f03aa76e8a0489d29b299eb9430240cd43671d40ba5e8e7e185a08593c7de9988648370582a5af52d9b24b8337aa0213e7a8fb7f8e60b846003
SSDEEP

49152:0rxJB9slWY5T97x4rvXtO+jw4ztk9/FdLQz+V759YTZgl0wVHVN8A:0VOlWY9Sjd1ztgFd0SV759YFg6A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2864	svchost.exe
3000	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
3068	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2864	svchost.exe
2864	svchost.exe
3000	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
3000	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
3000	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2864	2652	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe	18
PID 2652 wrote to memory of 2864	2652	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe	18
PID 2652 wrote to memory of 2864	2652	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe	18
PID 2652 wrote to memory of 2864	2652	58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe	18
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17
PID 2864 wrote to memory of 3000	2864	svchost.exe	17

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3068

C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
894KB

MD5
bc8ee2734f3ab08b112533b21ed81da3

SHA1
5c5200bc49ec02622e5e065bdf55c6d9fefd076a

SHA256
3b87b254048b9300cb251bd5bd056b045bec74722a313a4362265e4ad1b8ef48

SHA512
7dc35cd60d5fc6f06a1099227c6a93f0c318782222971097b2ca68d174180d5f6f6e7c01b649c21b565310bbe745c2ce2aef3b4519a60288cdc502da5297d9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
382KB

MD5
9f8aa645596f231cfde343374d35de7c

SHA1
d056f747a6906ac6c3931f63462b5a0b3d4984a9

SHA256
bdc0f10ed056a3a9e30032ff2ff2ef9e413e9cda6f48e3600d6812045a048770

SHA512
ae658c33a0f553363ef1d4f5995b3c5d569aa189dd1fc6dcf4dcf0b81252391ab8e8cb6f43e5dad8f4d6cd5983b93748c8c4e729ebce7533a78967cb7f320531

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
1.4MB

MD5
f9d457d55fcba05894a610bc40b671bf

SHA1
0f6f0cd90656cebcc95e64ce40b5d464437409f4

SHA256
dc94e0085bee2a35c8df061017fa6a1c79987766d8492a52cfdccf97a1f3101f

SHA512
2d3acf361689bbd37a0223d3518cb867819ebc67e2bea739c4d9c851e67a294f5abacfca5ac907e0482b7d57a6a055d48f5d9cedb84a7f545950fbbf1266fbbb

Download Submit
\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
1.4MB

MD5
08ad65ad37d0c5bdfdd2327cfe04c4e2

SHA1
88fb86c8051f89291ca2190b0e857a59f2779193

SHA256
6ea52a2cf95b589413fa4a8501e9320673ad64d0a6d38d67c07fc30b5ddbb8f9

SHA512
3d153a895fccf35386f84f00edac1043973d0bf9ef0f373076286470edda6db0aafb3c5fe983bc27308bb0333250e53a32fd72f2f57cc75fd618fce4525ecc0d

Download Submit
\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
92KB

MD5
dcc5b366f25d2b7befb860408090e232

SHA1
5e40cf7fe93df0c64ab3b94734e292de8fb4fae1

SHA256
fd7e748e1241f867e5915d45bcd10d67b267582dee0767bb58366dfa1fe85db2

SHA512
7376d645af38b5bf921fc63ef9652c26e4d62fae1a4de0b4516e64b35e8fb82e7468c26252d59e3e39caeac83dd929f6f5fcef87434d0ef370892289914b7b19

Download Submit
\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe

Filesize
381KB

MD5
172f0c3416e6bf04dffe11ccf60933a6

SHA1
8e353d437c64391dbce08000a12eed75f52dccf9

SHA256
1a2edef50048f5d9e9446c5c0e047097531d76ffa49618127486cae90b2bab0f

SHA512
df89cd074f0f4c99ed8209ca43020cfecf516b7a7a5cfd2e1430e03728c25a9cb04c714ab7afb72870a8cd0923f4e66f2afda8cd621accb5d91b4d8e2ad6256e

Download Submit
memory/2652-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2864-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3068-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3068-37-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3068-41-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download