39f7da6b0c66b25157be04a28f736b48705700298490ca3b97c110cbae05b792

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71ef088251dd582e808c1796de6f80c4.exe
Size

284KB
MD5

71ef088251dd582e808c1796de6f80c4
SHA1

0fa72f43a47a6063afdbf28e9bf2d06fc9850255
SHA256

39f7da6b0c66b25157be04a28f736b48705700298490ca3b97c110cbae05b792
SHA512

e843e0457debc66461ab82c2d187c525e1b878a543e57c050067da215dd494e3f164d9ee9e805132540e977a8054f47dd1431bf6fde0193dbfd3aba301b380f1
SSDEEP

3072:NJcXctIZgoLGgIb45nFWnpwUz2xamrx5g6Gi3fwfc2TpTsuZfw:NJcXOIzIb40qUz2ImN3fwE+pwuZI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	rksujz.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	cmd.exe
2244	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2356	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2244	1796	71ef088251dd582e808c1796de6f80c4.exe	28
PID 1796 wrote to memory of 2244	1796	71ef088251dd582e808c1796de6f80c4.exe	28
PID 1796 wrote to memory of 2244	1796	71ef088251dd582e808c1796de6f80c4.exe	28
PID 1796 wrote to memory of 2244	1796	71ef088251dd582e808c1796de6f80c4.exe	28
PID 2244 wrote to memory of 2656	2244	cmd.exe	30
PID 2244 wrote to memory of 2656	2244	cmd.exe	30
PID 2244 wrote to memory of 2656	2244	cmd.exe	30
PID 2244 wrote to memory of 2656	2244	cmd.exe	30
PID 2244 wrote to memory of 2356	2244	cmd.exe	31
PID 2244 wrote to memory of 2356	2244	cmd.exe	31
PID 2244 wrote to memory of 2356	2244	cmd.exe	31
PID 2244 wrote to memory of 2356	2244	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\71ef088251dd582e808c1796de6f80c4.exe
"C:\Users\Admin\AppData\Local\Temp\71ef088251dd582e808c1796de6f80c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\evlexgl.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\rksujz.exe
    "C:\Users\Admin\AppData\Local\Temp\rksujz.exe"
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evlexgl.bat

Filesize
124B

MD5
871aafbcebd98da6e298f1b102adfba2

SHA1
7dd5f56e669d86ab8be6dc0a0c1f531d40286a8f

SHA256
03dc7d3dc96876c5db98d5a4bcd19b5c5292102bc24991d538afc3875181e604

SHA512
346e4d93a776bf2c79ad97f44b09af1b8df5f65a0260d26391e8af5b048e73dab22a0dc6c15c568e9e7272d4cb6f3fc7e398690597116879c1550ef72e5e71d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojflim.bat

Filesize
156B

MD5
03e3df0c7a9d64b5be75b0b6f3d356a8

SHA1
27c6cfbcc683f92c45f58dc7c58edaa45e5dde72

SHA256
af5780cda863d51006b377404cd83c611fbb39f2604fb24c442f60868f69c83e

SHA512
07954c295576bc2c535acffdab67e2938ac140bc456d4c99dda34f42a14e1f60d4ae059b942621e38d47b89a108f1adb1580c0ce4c3c955bb600ea44dbd7010f

Download Submit
\Users\Admin\AppData\Local\Temp\rksujz.exe

Filesize
184KB

MD5
aa253becf4bac6c111e59992c6bacc4f

SHA1
edce1f26cb0b99cc672b840782f1a5cd90c86c1f

SHA256
5e0325e922bb1b05f80c49065a74b501046609ec991a78fdba6009057cbd8cc8

SHA512
fa83a88628e63bc173a8e692306fdabdd9414bcacc412bd1b22125eeed8c88c4115846908878c196accec337c9a5c49df42778098b55ebebc58d27a6c2aa50d5

Download Submit