Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
751b0391c47ac27fd5880602095c2b75.exe
Resource
win7-20231129-en
General
-
Target
751b0391c47ac27fd5880602095c2b75.exe
-
Size
392KB
-
MD5
751b0391c47ac27fd5880602095c2b75
-
SHA1
57bb747fc1bff49bb43598d4e9ef035589ff8a65
-
SHA256
69e62c01d01514823c9f50a77e79b456241aed9f23596e48d78490d227fbb18b
-
SHA512
7ac38504d483601ec7dc660559f23b75d127a82091eba15f50f4f62d715c8d327f5950c5cc99ba7cf31c1f60c2457ff8fa6fc3691dffb60abca7a355eb7ae607
-
SSDEEP
3072:TjeF/OZ/HI8IhYt5BjAsoDYp9qducrNK+B968s655MjawzakfWeiKWVOzYZO:TjC/4/HI87/Xr6UKzB92hOvVUYZO
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2140 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
exoxrrnev.exepid Process 2980 exoxrrnev.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeexoxrrnev.exepid Process 2140 cmd.exe 2140 cmd.exe 2980 exoxrrnev.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1916 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1916 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
751b0391c47ac27fd5880602095c2b75.execmd.exedescription pid Process procid_target PID 780 wrote to memory of 2140 780 751b0391c47ac27fd5880602095c2b75.exe 18 PID 780 wrote to memory of 2140 780 751b0391c47ac27fd5880602095c2b75.exe 18 PID 780 wrote to memory of 2140 780 751b0391c47ac27fd5880602095c2b75.exe 18 PID 780 wrote to memory of 2140 780 751b0391c47ac27fd5880602095c2b75.exe 18 PID 2140 wrote to memory of 1916 2140 cmd.exe 14 PID 2140 wrote to memory of 1916 2140 cmd.exe 14 PID 2140 wrote to memory of 1916 2140 cmd.exe 14 PID 2140 wrote to memory of 1916 2140 cmd.exe 14 PID 2140 wrote to memory of 2596 2140 cmd.exe 16 PID 2140 wrote to memory of 2596 2140 cmd.exe 16 PID 2140 wrote to memory of 2596 2140 cmd.exe 16 PID 2140 wrote to memory of 2596 2140 cmd.exe 16 PID 2140 wrote to memory of 2980 2140 cmd.exe 33 PID 2140 wrote to memory of 2980 2140 cmd.exe 33 PID 2140 wrote to memory of 2980 2140 cmd.exe 33 PID 2140 wrote to memory of 2980 2140 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe"C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 780 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe" & start C:\Users\Admin\AppData\Local\EXOXRR~1.EXE -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\exoxrrnev.exeC:\Users\Admin\AppData\Local\EXOXRR~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 7801⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.11⤵
- Runs ping.exe
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD53e5ae3ad340ad00f3e816c0ce0298cf8
SHA1aece1b468e6bf4c834c91a07534718b08a601202
SHA2561ee863a6be9a1193c3b1522339e902826d4934653b309d5b03055b08a6202348
SHA5121c72f8e322ed5e6c4bd7882a4e7fc4908edf9b2ba7ae14c34b958d80fe517f2a691d8105f6d21d002ba2db36fd678e839350bb7cbc7a1e1494f36a92c3b5c945
-
Filesize
1KB
MD5f8b5efff2c5d4ea32ae3acf564f24a2a
SHA1bbb9422f26226c888a9d35030a1b8a26fbe944c9
SHA2567b20bb388d146247669332df0240405fffceb7132f76df631bcc0eadc0c58cbd
SHA512063d0dd479833cbb1a39230f8a0231c46bb922d100cec09e95cd86bf49d203827b82026a2dc00335a408662023382845ba4e1772edddbd25ff44ef42e662215f
-
Filesize
152KB
MD5c8d63645f19570de282924406a2e87c4
SHA1bd00538116ee2bb85f1255511416d79887048204
SHA256348c1cf289e1a3c2261500fbcb2bdedd270e33adf437ac83281e9e6bc5603b0f
SHA51263a6f27fbfc8ca9e86c32edf42792068f3032d98179b1ffaf85db95c2201fb4892d30208f1a14a041be8bedd2a67566992e2b74885d560ae78908e0ca7e428bf
-
Filesize
265KB
MD5472f38f7a2196d7ff69442c538d4e5e6
SHA17a7279b1694aeab19465cf4e68696f96fa0cddd2
SHA2568f7923236f802f0403240a9c1bb8c75925f11ba5b012e42038ebda83b3dd9f9b
SHA51299abfbeb938a8c57716ba953ccf377f89988662b74991a1f79b486b4946ad9ea950234c6c251c1e455395d0760f9fde7d0ffbd0af9a2d7e1f55c03b899995448
-
Filesize
138KB
MD547cd759d03a280062d4c2ec14d3ef923
SHA10a066211f332b5a943e041b6d9e65f09558f4936
SHA2561ae064585c094a93cf4834b4ec5dc1b0f67e660d17f0043587cd03edb37e7110
SHA51288956e9a3f439ff65db6736be481ad04f5018441131e34c9ea174c82de15dda8123a13f7115664c120183f72460a63c93ed885d3db62a195c302274fede1677d