Overview

overview

7

Static

static

3

5b22ffad0a...6b.exe

windows7-x64

7

5b22ffad0a...6b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    11s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2024, 11:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5b22ffad0a238d71952d60010852386b.exe

  • Size

    442KB

  • MD5

    5b22ffad0a238d71952d60010852386b

  • SHA1

    031e873003ac4380004269b6f22d2dfc1581bacd

  • SHA256

    a88b53bcd90870eccd0429e4232ce4b4eb11745117248397fa4d40a8d85d0e8e

  • SHA512

    d57b20b531e6a0a1a78f4571d129a126e949ad71c9f3385164f83436818d74cfa00cfb8c084407e3b616d9627d3e9767ddfbbe78358d7b75bb812f2e8e8de68d

  • SSDEEP

    12288:w61aABLUzgOw6UVnYtsAXejgrqHUvZmVxF2:LpVaUVnYtsAu8u1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b22ffad0a238d71952d60010852386b.exe
    "C:\Users\Admin\AppData\Local\Temp\5b22ffad0a238d71952d60010852386b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\ime\125.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im ksafetray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • \??\c:\windows\ime\rar.exe
        "c:\windows\ime\Rar.exe" e -y -ping c:\windows\ime\usbhard.rar c:\windows\ime\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4956
      • \??\c:\windows\ime\systen.exe
        c:\windows\ime\systen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\ime\ok1.bat
          4⤵
            PID:2352
            • \??\c:\windows\web\lsoss.exe
              c:\windows\web\lsoss.exe
              5⤵
                PID:5044
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\windows\ime\00.vbs"
            3⤵
              PID:2204
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R g:\setprter
              3⤵
              • Views/modifies file attributes
              PID:1820
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R h:\setprter
              3⤵
              • Views/modifies file attributes
              PID:408
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R h:\~1
              3⤵
              • Views/modifies file attributes
              PID:884
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R g:\~1
              3⤵
              • Views/modifies file attributes
              PID:2232
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R f:\setprter
              3⤵
              • Views/modifies file attributes
              PID:4680
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R f:\~1
              3⤵
              • Views/modifies file attributes
              PID:2204
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R e:\setprter
              3⤵
              • Views/modifies file attributes
              PID:2740
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R e:\~1
              3⤵
              • Views/modifies file attributes
              PID:980
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R d:\setprter
              3⤵
              • Views/modifies file attributes
              PID:4492
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R d:\~1
              3⤵
              • Views/modifies file attributes
              PID:4516
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4364
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              3⤵
              • Runs ping.exe
              PID:4560
            • C:\Windows\SysWOW64\attrib.exe
              attrib -S -H c:\ma.exe
              3⤵
              • Views/modifies file attributes
              PID:3108
        • C:\windows\ime\rar.exe
          "C:\windows\ime\Rar.exe" e -y -ping C:\windows\ime\ok.rar c:\windows\web\
          1⤵
            PID:980
          • C:\Windows\system32\wbem\scrcons.exe
            C:\Windows\system32\wbem\scrcons.exe -Embedding
            1⤵
              PID:4488
              • C:\Windows\IME\systen.exe
                "C:\Windows\IME\systen.exe"
                2⤵
                  PID:2868
                • C:\Windows\IME\systen.exe
                  "C:\Windows\IME\systen.exe"
                  2⤵
                    PID:3184

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\11a.bat
                        Filesize

                        226B

                        MD5

                        c5b668ed624cf3fcd5e6b033b1afe672

                        SHA1

                        836df8c8b2bc10a26ef0fa8c1720447be9600ab7

                        SHA256

                        c10007d28ae7e188900a52b4b30a1e3392440dce1a5264c442a53b4ba35b581f

                        SHA512

                        274d894a64fc1ed3d3c82dccb5418e6e83ec94ad43a4ebd7101cf1dedcbf92366ff2714ab5123a2f1623cea137268377f9e3268fb4e757dfa9de61802494c671

                        Download Submit

                      • C:\Windows\IME\00.vbs
                        Filesize

                        57KB

                        MD5

                        12149987af581b174ffd2a6cdfe3381b

                        SHA1

                        0c5c2cb3014b1c730bf9fcc2338abbb1c0528ed1

                        SHA256

                        11009a1bd14dda33b937aa4904d739025d2d98c5f05e1235d9f531d4f6812ce9

                        SHA512

                        d3ffe1675b4fda94400c44caf73ed443ea88fca8cd96fefd10a1cb6f8e79f3b3654789a36b860620b3b33863c3245e9f15bd43e82087f242b1f02f4a1dc5999e

                        Download Submit

                      • C:\Windows\IME\rar.exe
                        Filesize

                        310KB

                        MD5

                        0a5680183c0089a64621e211917664d8

                        SHA1

                        8525d73c99e28413e97a094c99950e1806786246

                        SHA256

                        c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

                        SHA512

                        b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

                        Download Submit

                      • C:\Windows\IME\systen.exe
                        Filesize

                        104KB

                        MD5

                        4d60faf0ab503e00d0470d21a018109d

                        SHA1

                        d4e47f6a1b8e6c40cac91f683c0d1dfa0161c364

                        SHA256

                        ec61669f8c6e1cccf1a2ee6dfca852a73b05c7f1ca9dd974e2af1525dbfc0d55

                        SHA512

                        ebfcaa50899be339a4bef98e60274c4ce338c835028bdbaa08ab481dfe2798b13fe9691dc4ad35b2b90ca31feeca2919dc6b89db9ec27294d958b999af4d6e64

                        Download Submit

                      • C:\Windows\IME\systen.exe
                        Filesize

                        669KB

                        MD5

                        3e5c5570bdd844ac8737629281158480

                        SHA1

                        25915fa51c4d3f2826c024a53195bc188158aca0

                        SHA256

                        a272adfd6d8c3a19937cb79216decd88dc88aa80b2cd29cbf1fdc0b52104beaa

                        SHA512

                        3ea8478f4a2a38eecd35216245e1eaa1c0f1e0dffb479cd82d4adefaee672c48a14a85fcdf3e3ba57414f85828cf6cb25f2540c61b85d501c2aeceb62af0a572

                        Download Submit

                      • C:\Windows\IME\systen.exe
                        Filesize

                        610KB

                        MD5

                        7cc94161e6eff8ff71fc4632a7f29402

                        SHA1

                        154a27333872761f2da366dd1c19f71c515d1167

                        SHA256

                        e2a82289fc05abb5ed9adafe07e5ccdf246e87dd670765d358e87c98702d0dc6

                        SHA512

                        d002b54f6df78d519847914a3cd9872ec6f8ed02eb8df5b169d41d3cd8a8e7fe2453cc2edb505ded791573cbbe9f386513e2be19787b8b830d763c32ce66004f

                        Download Submit

                      • C:\Windows\Web\lsoss.exe
                        Filesize

                        263KB

                        MD5

                        1a7e3aaa48236b6f5f708cc2ec581205

                        SHA1

                        c691ac732c4d6eef86890db83a1c514a3c9c9183

                        SHA256

                        4a4145eab5f0b6665b2e42dab1b2b20779e9d8d9bac2774c11cff0c69adf13f3

                        SHA512

                        d8bc86254db09ed73c9621d5267f28bbbb454df25e50c9602870a4d984bc37f74fc4b17b1f26605f1a9cf88f8334700c6164c64635bd13ea9ad50726cb8e9aa7

                        Download Submit

                      • C:\windows\ime\00.vbs
                        Filesize

                        391KB

                        MD5

                        8057f88dd672fa05e5e5dbeacdcd0737

                        SHA1

                        8492baf32833d00fa6ea8a412d3999342300b8e1

                        SHA256

                        70eee972629390ee0466efdb166ccc26e6a8d3946ca2b619aefcd363b9a608cf

                        SHA512

                        dceee583e8ff8aaf847dcb32f707ed1f0ddeafd1a94d036c0af7990f994e72d0ae9ea1a62ca9eafbe86679c54d2f1bc6ce88d12a326f98452769eeaac9af88e7

                        Download Submit

                      • C:\windows\ime\md5.txt
                        Filesize

                        806B

                        MD5

                        b871fe74597f5cb4116bc4075633c8b1

                        SHA1

                        6517e5738579d67dcb09bc0e25fab0f6b723d7e4

                        SHA256

                        48ce1c40121e71173d2d5908d2c6d76e66704679a2106e0b1d5ca7b32ad00b0a

                        SHA512

                        6900c7858c4a559cce7bf39648e7a671d3b8a96d46fd0a295aac8fd70d353ed4bc5d5da47620a140bc2cfd2e21d15b977059ce9a9712fcaba17367eb4d39a3b2

                        Download Submit

                      • C:\windows\ime\ok.rar
                        Filesize

                        266KB

                        MD5

                        0e613f2d4f256de6a97d4fb2dfddd2a6

                        SHA1

                        46a040447ba9887a99cdafeb636bee9d89341b09

                        SHA256

                        7beb29fefc719dd8c93484a44e92c7e765383cf8df9df9c29ca6fa745d53e074

                        SHA512

                        0c7e88e2142ef936fea918fc485122330842a1c743632b96feecfc04a5918ba76d311575e5defe25ba63bb2047311b3f53035fd76497523ec4339d051c6b2050

                        Download Submit

                      • \??\c:\windows\ime\00.txt
                        Filesize

                        142KB

                        MD5

                        a2dd00710d7cd43c8c47b45f34e8b44f

                        SHA1

                        48606ae8607995e286340a14b131bf0c34fd214d

                        SHA256

                        7f305c00470fb2a7c5692e13597dd6a29a92aee2adb3d7234b8e0042ed8cedc1

                        SHA512

                        b05ff16b94d74d7051a68d035131e22812ce6ae0ddaefb9f3aae8eea13858c7f86e7c0204b4b2fc5639bd766af425ed84f051cea04ccf9f95ddb23b2adca35a5

                        Download Submit

                      • \??\c:\windows\ime\125.bat
                        Filesize

                        1KB

                        MD5

                        035e07735205d1aac8c9553c957c1feb

                        SHA1

                        e9dc50bc762882a63a1d3a20642b6f32113a5b96

                        SHA256

                        b4eec69f711d4b18ea51a888a5aeb6698842a727f0ed2e749e0740e57094bdb5

                        SHA512

                        cf3abfd74dd3347970b233e6f44e77585699dd50abf10cebd0e4e17ff9be2f22fad8a29dc367b363e8f0577fba400ce3d4e2195f3f0a1f4e5653ec21fed72024

                        Download Submit

                      • \??\c:\windows\ime\ok1.bat
                        Filesize

                        360B

                        MD5

                        f38e24920e7c9520b8f5e37a6509a5be

                        SHA1

                        fb5bc29edad40738582917711458e146e417e125

                        SHA256

                        ef8e7af75bb2f474d9a7df2ebec6bbe7d22ebd848f95cc1f26a23a0f20fa1cdd

                        SHA512

                        5f57dac2f0125ef2d7feb480b57a93440344199972cdcf154799837c004eaf7abcdacc35fa258fd1515499539e0a4c023dac4875eec6dc4d2b7cda26bc068800

                        Download Submit

                      • \??\c:\windows\ime\systen.exe
                        Filesize

                        269KB

                        MD5

                        10c19212478e4e7558b8581020a60631

                        SHA1

                        5864c402941f87c8666cacb73154d932ac654684

                        SHA256

                        1e34f27d5d063e5a83210fa75c826370cc71cfc66b3833737ec75901112ef2cf

                        SHA512

                        8118151eb31b37315f697e05e16f129b4a1e6af93868c2bbf55c415ebda61cdd1d7a7925656d2ae4145786562c80a2c7aedb9158816438e0cfe46ee26fd7dc7b

                        Download Submit

                      • \??\c:\windows\ime\systen.txt
                        Filesize

                        2.4MB

                        MD5

                        7dcac5ed19ded29e3800920881c4868a

                        SHA1

                        49778397e3c9186884b016f77af09aca1118f50d

                        SHA256

                        1bbf2bca25ebd0f0d0d65566d37312d8197332c6b0b74da1bb245c8da2c5d39a

                        SHA512

                        67b330125c22ca8f98da3111652e518aa9bc6fbc1c5b5491f670d6c758b0842d00f21c33085c2c2301e29a35ca1b425ff9e228689f05b28877958f6b52d841a0

                        Download Submit

                      • \??\c:\windows\ime\usbhard.rar
                        Filesize

                        5KB

                        MD5

                        394fae3c2a908e0a9d7a5b1ff1fea0d1

                        SHA1

                        b9f3332acfa58b401f35fc3aa4aaee23fcdb91ae

                        SHA256

                        c61298d4c55156a95e61522a3f0bd0f381eec23455c73005f1e0133d01fe1d72

                        SHA512

                        308fb917051e8792741852e0d74a955ea0b3b7e75219c0a43e17cfef7e57a2d48dc5cf4ea76f7de404f0f5d0ece4bd7df267762a215bcc594f8c80f733f105fa

                        Download Submit

                      • \??\c:\windows\web\lsoss.exe
                        Filesize

                        358KB

                        MD5

                        0c3e631a8bacf7dba786085a62fd332c

                        SHA1

                        5f0cae565140a570eb230a04f0a3112666c503f4

                        SHA256

                        7899f52d1a62cb2137bd95c6c828c371bcc21143b21c1edef02503203b723d0d

                        SHA512

                        ebadd38c5d3e187277d4faaf84bf94e9bc44fb788e05c964df9be0867703576c3936e1a6a93f8ac6432419ca497bf802548b64705271ede9bca4ae1a3322143f

                        Download Submit

                      • \??\c:\windows\web\lsoss.txt
                        Filesize

                        354KB

                        MD5

                        177468e1b59e2b56264047795cddd88c

                        SHA1

                        d070fd60f1ffcececc6c2b6d3321e77f7ec00b72

                        SHA256

                        b59b82cb4d39181d9beb116407222cb9688650f6ef25bcbcff4e9ff3d92af17b

                        SHA512

                        c754dcaa500ae858504c70274b3037af78358d5dcf1c724055217e35ef90ccaa66ae213fb7f2f5e47eee86ac318a4f32969e8ecc696ba13fd4fcf4e8891401a9

                        Download Submit

                      • memory/980-49-0x0000000000400000-0x0000000000460000-memory.dmp

                        Filesize

                        384KB

                        Download

                      • memory/3572-26-0x0000000000400000-0x00000000004A2000-memory.dmp

                        Filesize

                        648KB

                        Download

                      • memory/3572-0-0x0000000000400000-0x00000000004A2000-memory.dmp

                        Filesize

                        648KB

                        Download

                      • memory/3572-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

                        Filesize

                        12KB

                        Download

                      • memory/4956-20-0x0000000000400000-0x0000000000460000-memory.dmp

                        Filesize

                        384KB

                        Download

                      • memory/5044-59-0x0000000002210000-0x0000000002211000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5044-57-0x0000000000400000-0x00000000004B7000-memory.dmp

                        Filesize

                        732KB

                        Download

                      • memory/5044-58-0x0000000000620000-0x0000000000621000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5044-60-0x0000000000400000-0x00000000004B7000-memory.dmp

                        Filesize

                        732KB

                        Download

                      • memory/5044-61-0x0000000000620000-0x0000000000621000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5044-63-0x0000000002210000-0x0000000002211000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5044-71-0x0000000000400000-0x00000000004B7000-memory.dmp

                        Filesize

                        732KB

                        Download

                      • memory/5044-72-0x0000000000400000-0x00000000004B7000-memory.dmp

                        Filesize

                        732KB

                        Download