03b8ed19dfd3bcae99c56d5a4a3b15ec3b0e0541efcd4184f4cb02aa4c20b6b2

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e35cbae0efcf6bbac45be28753b8e5a.exe
Size

645KB
MD5

8e35cbae0efcf6bbac45be28753b8e5a
SHA1

e316c893e8af4f190a90c3550ea2d5e7ae0faec8
SHA256

03b8ed19dfd3bcae99c56d5a4a3b15ec3b0e0541efcd4184f4cb02aa4c20b6b2
SHA512

0cf4db24fbbe3a768cda0a8cfccfd8a79575b04aaf651d66b2ff3116d07ef241d4b784f8323f4ffbaeaeae4d258bf8e8029927713e0b2d4f0aaf328b9b2ff7b9
SSDEEP

12288:EHW1PsQqReJoze9kb7MIFXtyxH90cNnQdJD4Mp1xQWGIyZLbaiGUt:EHWuoJaeyb7xFXwxdVQd9DQWpyFae

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	winvnc.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1416-0-0x0000000000400000-0x0000000000485000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	winvnc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe
1416	8e35cbae0efcf6bbac45be28753b8e5a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2732	1416	8e35cbae0efcf6bbac45be28753b8e5a.exe	28
PID 1416 wrote to memory of 2732	1416	8e35cbae0efcf6bbac45be28753b8e5a.exe	28
PID 1416 wrote to memory of 2732	1416	8e35cbae0efcf6bbac45be28753b8e5a.exe	28
PID 1416 wrote to memory of 2732	1416	8e35cbae0efcf6bbac45be28753b8e5a.exe	28
PID 2732 wrote to memory of 2796	2732	cmd.exe	30
PID 2732 wrote to memory of 2796	2732	cmd.exe	30
PID 2732 wrote to memory of 2796	2732	cmd.exe	30
PID 2732 wrote to memory of 2796	2732	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\8e35cbae0efcf6bbac45be28753b8e5a.exe
"C:\Users\Admin\AppData\Local\Temp\8e35cbae0efcf6bbac45be28753b8e5a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.exe
    winvnc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\helpdesk.txt

Filesize
1KB

MD5
2b2d0661fc228e576a0648fd843e6264

SHA1
ef66e0e11cfaf47c326d93f2bb566b774cbeb0c4

SHA256
efc0ac1e0bfdbf8dad25be260f5e06b2e9d029702ce26a5a67740aa433a3d20d

SHA512
ba2531187d70e9e8bbff5addea5e5636488b0d0e8f64e900f5b76dde87f5ce7c00aa2f683031ac3f01d09d0875164d3080abde64677032e3353b18c527ad85e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\logo.bmp

Filesize
35KB

MD5
2a82bff32d5b58d6d8746aaefd4fd044

SHA1
bbdbffcf85204f0eaf5ca56cb7905227a63fb84f

SHA256
c34436c440082fac0adb4019f52faf277c4b2d28aadebdc208e56798e9132877

SHA512
0d03ec18ea30979c170b6b0d9c0de2e8e10e6c2ad260821f96444363197d031021a1be6a515e67d71cdc6850956da80232feb268ae597bebd26a5efa049c8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.cmd

Filesize
2KB

MD5
c18af84528b187cfc0810123a9894400

SHA1
c6ab33a9f0154783fb606bb945498eb6a4fc9347

SHA256
845856f8fd2fca8676086b424f3fb681063470af0b5aae5a0fd6b2f60fdce5d9

SHA512
1981ef2a2b093980ba70c786f421c13db0f2d917f4889a6ef3b79bca53168ca0e3c3e516e6bbc5758f71a7c00f68464f39d302f8c544262272f401cf45787e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.exe

Filesize
244KB

MD5
1cc077ecea12e9b484112d897da74a3b

SHA1
7fef071f41ddd1895b2723f9a526f53b6cd681c7

SHA256
db904b423b5b4b0a15a8c39851449a7f2a8271f318374ce2d6618cfab07b096f

SHA512
6cfc612f34170fc409969fff8f2ad3352b71c9d06c389276d0d7f01fcd3e4684c6016c7860fed6d020ad9713aaf86a9076719189047b8cf3e0d0d054718c23e4

Download Submit
memory/1416-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download