fd69536c7dbb3e3b3d89a3092ad62484d2f8e1f5aa403354d336245419554449

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe
Size

435KB
MD5

e8679276e4c35acbe643ede4637b1ae3
SHA1

97f6466864c55792ec47b8fa250f52d114ab01f0
SHA256

fd69536c7dbb3e3b3d89a3092ad62484d2f8e1f5aa403354d336245419554449
SHA512

134a28adead044b06f76aa7505a866585b2e8337a43f559e64897845aa86cb0c29e15a6bc9a74e05798cca080a51f8eb8776ed0dca23eaff2a8a58046972ea7f
SSDEEP

6144:fWZnu/j9gzr+NcgKMx6WPw2MUebn3RPcpX3vi3TIskwZX1QZpbbLn:Cuqzr2c/Mx6Mjcn39a3a0skYmR

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2504	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	edexqo.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe
1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{40C758C8-CEFB-AD4E-7138-F2B16CEAD1AC} = "C:\\Users\\Admin\\AppData\\Roaming\\Cyirsy\\edexqo.exe"	edexqo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe
2928	edexqo.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe
2928	edexqo.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2928	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	28
PID 1948 wrote to memory of 2928	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	28
PID 1948 wrote to memory of 2928	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	28
PID 1948 wrote to memory of 2928	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	28
PID 2928 wrote to memory of 1112	2928	edexqo.exe	9
PID 2928 wrote to memory of 1112	2928	edexqo.exe	9
PID 2928 wrote to memory of 1112	2928	edexqo.exe	9
PID 2928 wrote to memory of 1112	2928	edexqo.exe	9
PID 2928 wrote to memory of 1112	2928	edexqo.exe	9
PID 2928 wrote to memory of 1172	2928	edexqo.exe	8
PID 2928 wrote to memory of 1172	2928	edexqo.exe	8
PID 2928 wrote to memory of 1172	2928	edexqo.exe	8
PID 2928 wrote to memory of 1172	2928	edexqo.exe	8
PID 2928 wrote to memory of 1172	2928	edexqo.exe	8
PID 2928 wrote to memory of 1212	2928	edexqo.exe	7
PID 2928 wrote to memory of 1212	2928	edexqo.exe	7
PID 2928 wrote to memory of 1212	2928	edexqo.exe	7
PID 2928 wrote to memory of 1212	2928	edexqo.exe	7
PID 2928 wrote to memory of 1212	2928	edexqo.exe	7
PID 2928 wrote to memory of 804	2928	edexqo.exe	5
PID 2928 wrote to memory of 804	2928	edexqo.exe	5
PID 2928 wrote to memory of 804	2928	edexqo.exe	5
PID 2928 wrote to memory of 804	2928	edexqo.exe	5
PID 2928 wrote to memory of 804	2928	edexqo.exe	5
PID 2928 wrote to memory of 1948	2928	edexqo.exe	12
PID 2928 wrote to memory of 1948	2928	edexqo.exe	12
PID 2928 wrote to memory of 1948	2928	edexqo.exe	12
PID 2928 wrote to memory of 1948	2928	edexqo.exe	12
PID 2928 wrote to memory of 1948	2928	edexqo.exe	12
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30
PID 1948 wrote to memory of 2504	1948	VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe	30

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_e8679276e4c35acbe643ede4637b1ae3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe
    "C:\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc52c96c8.bat"
    3⤵
    - Deletes itself
    PID:2504

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc52c96c8.bat

Filesize
265B

MD5
e26955ab24390819a0484888b0a20274

SHA1
d16811f3a06f22842256d759b4ab7353c5db1584

SHA256
b16e1c5abffd45ae0d57adb96e93167273a8a3bef99025cdc1a1ea05137156b0

SHA512
dc0e612e254fb36ee02f2075a7731aecfdd61b54b798df49fc8c4131340aa6257d5d057a8e513a0017cf1da9c953d41597aa0a1379465e0ba9abfcf5bb4cc90a

Download Submit
C:\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe

Filesize
61KB

MD5
a335791b0245785504bd13f41b6c5902

SHA1
f066497c89d9f4b04d033ceb7d68ae791718a175

SHA256
26223602d0c1d78dffa04f7382a4efdbc70c777460a175df21169be9fe611813

SHA512
829dff24bba00fe7e5d0c15c6f0f1d5fe4210bd09a74cf20794d2bf5b5273866b65f3f81ba1ac0abc3b3617c42055cb3bfd8ffbf10d85dcc92ae7437f08e465b

Download Submit
C:\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe

Filesize
111KB

MD5
3c41465a929d94f18bd087d5db2e4c73

SHA1
d60ed2377faf977aa824d58d1e70d3cca905598d

SHA256
6269caae5abec1613a6f72625d3d84c21fb4f3f539c7fce87e82e207a89f8fbe

SHA512
b55abdb1f7e4332af2ece4d0b5df3deb4f25ef2e6bf818aaafb4ba53f2e988f3e6c538e1ed1b9e7cae1b44948eb24c66c5d3242c460543fee13f91b7e093d8e9

Download Submit
C:\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe

Filesize
157KB

MD5
3a16bec2f6fb2ae2b4dd3373399217e3

SHA1
dfdecdf76442289be649c33f7c51a1657040327d

SHA256
3d419b1e8ee4d5b2813a025f2481aa824221fd8f05e8b65669ed278ecc1f375f

SHA512
fed1bc92180fcb08edb84ee6c501e2707a07e9cb665c0f12e5137a60515c3a617b6844d519d25ffd7f6b63f89080f7e48593d5a9db1b0a7fa25e49cd307f7739

Download Submit
\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe

Filesize
146KB

MD5
dce37e63ac3b423d3b1acfb10dacbbf5

SHA1
d8d3429c32dd5d1aea50477ed04386c0e1b20cc3

SHA256
5dba3b526db5f95471e38422b276d94cd50ee9dc5d1590dec098142b71bfe65c

SHA512
860309d4a1e58add6610aae53aa0aae1fbff8a6273a70436bbb73ddbb8a50508404449509c917c756330e335dfc578854c358c2296e837e4374cfca2cd5d7190

Download Submit
\Users\Admin\AppData\Roaming\Cyirsy\edexqo.exe

Filesize
101KB

MD5
8b0d25a8239cb59545575a6b7f798bc7

SHA1
cdd430a9d25a6e8f2e0f0d2650e653cbcd5cc79d

SHA256
e6ef176237796646f8a39b4b39ba85dd821f2fee10a759faff8ed44ff38dc3d0

SHA512
9504d96a16d793cfbe01ef9bcf313cb36fd216215904195257a6dd8466ff109558b2dc55fb401e8909fe265738ee55e3cb9e3553e92b36a13ca2a4630ee8c69a

Download Submit
memory/804-43-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/804-44-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/804-45-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/804-46-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/1112-25-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1112-23-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1112-21-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1112-16-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1112-19-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1172-29-0x0000000002010000-0x000000000205C000-memory.dmp

Filesize
304KB

Download
memory/1172-31-0x0000000002010000-0x000000000205C000-memory.dmp

Filesize
304KB

Download
memory/1172-33-0x0000000002010000-0x000000000205C000-memory.dmp

Filesize
304KB

Download
memory/1172-35-0x0000000002010000-0x000000000205C000-memory.dmp

Filesize
304KB

Download
memory/1212-41-0x00000000025E0000-0x000000000262C000-memory.dmp

Filesize
304KB

Download
memory/1212-38-0x00000000025E0000-0x000000000262C000-memory.dmp

Filesize
304KB

Download
memory/1212-39-0x00000000025E0000-0x000000000262C000-memory.dmp

Filesize
304KB

Download
memory/1212-40-0x00000000025E0000-0x000000000262C000-memory.dmp

Filesize
304KB

Download
memory/1948-69-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-154-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-67-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-65-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-63-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-61-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-59-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-57-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-56-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/1948-54-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/1948-52-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/1948-50-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/1948-48-0x0000000000450000-0x000000000049C000-memory.dmp

Filesize
304KB

Download
memory/1948-77-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-71-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-73-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-75-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-91-0x00000000778F0000-0x00000000778F1000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x0000000000360000-0x00000000003AC000-memory.dmp

Filesize
304KB

Download
memory/1948-142-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1948-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2504-182-0x00000000000B0000-0x00000000000FC000-memory.dmp

Filesize
304KB

Download
memory/2504-231-0x00000000000B0000-0x00000000000FC000-memory.dmp

Filesize
304KB

Download
memory/2504-184-0x00000000778F0000-0x00000000778F1000-memory.dmp

Filesize
4KB

Download
memory/2928-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-15-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/2928-232-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download