Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 18:11
Static task
static1
Behavioral task
behavioral1
Sample
8d01e623f6c8fe01f97b05317597bd1f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d01e623f6c8fe01f97b05317597bd1f.exe
Resource
win10v2004-20231222-en
General
-
Target
8d01e623f6c8fe01f97b05317597bd1f.exe
-
Size
5.2MB
-
MD5
8d01e623f6c8fe01f97b05317597bd1f
-
SHA1
dcd1bc58c59b64852f115f350cbcf082f949733c
-
SHA256
8419906cd2df2dc0406be115fa13d1815469dd8a55dfb8962c6d2924b74551dc
-
SHA512
fa3f5ddcbbb91d5391e8c16c2114235e5fd4fe8b8baf6f72e22e57dd1160da28cb0b340d87769deb9eabd6a2986569a77b23f278bc2850776f915aad7dc15cb2
-
SSDEEP
49152:EQFRHrmQG+yrY+FrBQG+aBQG+9QG+yrnrmQG+yrkQG+ygBQG+aBQIrmQG+yrY+F9:EcKHzs24MzWHzsc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2620 xbhl.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 8d01e623f6c8fe01f97b05317597bd1f.exe 2132 8d01e623f6c8fe01f97b05317597bd1f.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main xbhl.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2620 xbhl.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2620 xbhl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2620 xbhl.exe 2620 xbhl.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2620 2132 8d01e623f6c8fe01f97b05317597bd1f.exe 28 PID 2132 wrote to memory of 2620 2132 8d01e623f6c8fe01f97b05317597bd1f.exe 28 PID 2132 wrote to memory of 2620 2132 8d01e623f6c8fe01f97b05317597bd1f.exe 28 PID 2132 wrote to memory of 2620 2132 8d01e623f6c8fe01f97b05317597bd1f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d01e623f6c8fe01f97b05317597bd1f.exe"C:\Users\Admin\AppData\Local\Temp\8d01e623f6c8fe01f97b05317597bd1f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\xbhl.exeC:\Users\Admin\AppData\Local\Temp\xbhl.exe -run C:\Users\Admin\AppData\Local\Temp\8d01e623f6c8fe01f97b05317597bd1f.exe2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD5b84c50f24e18ad2abcc9f5bc5bcba691
SHA1577d351abea6c0d6ace764a989244f8a541f4e31
SHA2567a698ca4daa76cb5ef86afcea318166a242d2890d787597ed25ab02928b83387
SHA5123ed329eeac15258c6bc9deef1d6cc767767265f973061380e73ffc0c153d9da07362a057914e9ea6c82f6fb7a951a679021da7eb76423dfcf9ab1f668dfd4569
-
Filesize
155KB
MD54480a46b6e65dea177de428af0b9e0ba
SHA1c8e25009dd1497c257fff67eaa1bbd4f89aebc18
SHA2568b2953486de1a520248523431cac72362f366ccf69d956af04e9872e8f67f999
SHA5124bd47e0564ee9f5d9d806c1ecdc84290561c60926f301a43378681b18ec38fe88e3ae55c906ab1902c70ba9bb13c908dec8535b21f2ac2d269fb33c0382a0fe3
-
Filesize
107KB
MD5a41d17ad3702ecd5ed702ea44d689c6d
SHA18fad3cd4b4c03f474c23511b33729dda1db71b18
SHA256aaef9dd767c44dcf547bdfc2e4a08744eef62ec2e5d78ff697d40cc8f3c0f0c7
SHA5129cf67c07c7aa675ecf6e8f7fcccfd931ecabb5a72bcae8eccf9a12601aeeb7e64e9d0657afb718c4935c2f1571adcbc005449f1247cdb74653d0afb04ab6a981
-
Filesize
443KB
MD565594dbcc354894714ba9fd66c1e8c26
SHA1b10627e54c553e40a1df8aaa2a383615ed2c692b
SHA256ff93987c5bf3376e4daea18acbd2882bebf99054c817c4ad90e15b8d6491cfff
SHA512bf4a37fbcd338a2ae7b5f3335339b44567bd234ae42f78e9ba7418766d0fa13613373c20bb0ad4b94fb07172e9fee9b59d4e1303c007075520c1091cf7128ca0
-
Filesize
477KB
MD5f1e8063c561bb1262776f5122460eebe
SHA12e42ea47d6165cc7ea47c0c7b38fc5c3fd92e53d
SHA25620aa3efeb77c057fb8baad01a6f1dc92a6ebcd559515461c0b467f637228e70c
SHA512bed5656b347b3464c817fe807ca80c9138d961d82b879cc5cfdd11fa36a06c6c3d5f13df05d92408d304f9a706c44dc0923834900fec14e2e4f9c75ddd2b0dfd