b32e99e981523dc367b400352de5a13930171675d3d5f8e83a6d7ab3e2689144

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e6613a2564e99d98781a795f4cc57ce.exe
Size

16KB
MD5

8e6613a2564e99d98781a795f4cc57ce
SHA1

2e29210e55235f5a9a5b8c0120b9682c08318465
SHA256

b32e99e981523dc367b400352de5a13930171675d3d5f8e83a6d7ab3e2689144
SHA512

89db3fccc2bb4c5fda977068b7d74cf7f8561c741bec87ded905888c7d4e664896346b7fcabea59e869dbefd5bafc239b85294b800fcc9b2bf241b931af2458a
SSDEEP

384:cfWuKW6z/JB2vDlmZ6mZl34LXL96/6/ZJxtF3M9FFUl8NIK:LjJB2pfV6/6hJxtef7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	ODBCJET.exe
2740	ODBCJET.exe

Loads dropped DLL 4 IoCs

pid	Process
2844	8e6613a2564e99d98781a795f4cc57ce.exe
2844	8e6613a2564e99d98781a795f4cc57ce.exe
2716	ODBCJET.exe
2716	ODBCJET.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ODBCJET.exe	8e6613a2564e99d98781a795f4cc57ce.exe
File opened for modification	C:\Windows\SysWOW64\ODBCJET.exe	8e6613a2564e99d98781a795f4cc57ce.exe
File created	C:\Windows\SysWOW64\ODBCJET.exe	ODBCJET.exe
File created	C:\Windows\SysWOW64\Del.bat	ODBCJET.exe
File created	C:\Windows\SysWOW64\Del.bat	8e6613a2564e99d98781a795f4cc57ce.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2844	8e6613a2564e99d98781a795f4cc57ce.exe
2716	ODBCJET.exe
2740	ODBCJET.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2716	2844	8e6613a2564e99d98781a795f4cc57ce.exe	33
PID 2844 wrote to memory of 2716	2844	8e6613a2564e99d98781a795f4cc57ce.exe	33
PID 2844 wrote to memory of 2716	2844	8e6613a2564e99d98781a795f4cc57ce.exe	33
PID 2844 wrote to memory of 2716	2844	8e6613a2564e99d98781a795f4cc57ce.exe	33
PID 2716 wrote to memory of 2740	2716	ODBCJET.exe	32
PID 2716 wrote to memory of 2740	2716	ODBCJET.exe	32
PID 2716 wrote to memory of 2740	2716	ODBCJET.exe	32
PID 2716 wrote to memory of 2740	2716	ODBCJET.exe	32
PID 2716 wrote to memory of 2620	2716	ODBCJET.exe	31
PID 2716 wrote to memory of 2620	2716	ODBCJET.exe	31
PID 2716 wrote to memory of 2620	2716	ODBCJET.exe	31
PID 2716 wrote to memory of 2620	2716	ODBCJET.exe	31
PID 2844 wrote to memory of 2608	2844	8e6613a2564e99d98781a795f4cc57ce.exe	29
PID 2844 wrote to memory of 2608	2844	8e6613a2564e99d98781a795f4cc57ce.exe	29
PID 2844 wrote to memory of 2608	2844	8e6613a2564e99d98781a795f4cc57ce.exe	29
PID 2844 wrote to memory of 2608	2844	8e6613a2564e99d98781a795f4cc57ce.exe	29

C:\Users\Admin\AppData\Local\Temp\8e6613a2564e99d98781a795f4cc57ce.exe
"C:\Users\Admin\AppData\Local\Temp\8e6613a2564e99d98781a795f4cc57ce.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Del.bat
  2⤵
  PID:2608
- C:\Windows\SysWOW64\ODBCJET.exe
  C:\Windows\system32\ODBCJET.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Del.bat
1⤵
PID:2620

C:\Windows\SysWOW64\ODBCJET.exe
C:\Windows\system32\ODBCJET.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Del.bat

Filesize
88B

MD5
35096dad5f1b48782d35698a1d042533

SHA1
7de420563facc9a68325ce5ef049f6d018751ad0

SHA256
dd339d5316a73d8a89487209e673f03ac5475bd149e6b13dc7f73c743bd3338e

SHA512
e156e6384bc7f5e3bedeae8fee177e0b31e921c78d47271519875565c053ff0aeced47b84965bdfe5e30ea1adb2c7920e4a0acf6de5fb966cc064d27e993244b

Download Submit
\Windows\SysWOW64\ODBCJET.exe

Filesize
16KB

MD5
8e6613a2564e99d98781a795f4cc57ce

SHA1
2e29210e55235f5a9a5b8c0120b9682c08318465

SHA256
b32e99e981523dc367b400352de5a13930171675d3d5f8e83a6d7ab3e2689144

SHA512
89db3fccc2bb4c5fda977068b7d74cf7f8561c741bec87ded905888c7d4e664896346b7fcabea59e869dbefd5bafc239b85294b800fcc9b2bf241b931af2458a

Download Submit
memory/2716-25-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2716-24-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2716-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2716-23-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2716-21-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2716-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2740-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2844-38-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download