72c29d9c210edf63cf98a767dee021dc7f006ece99121bbd1962742e17aa892f

Analysis

max time kernel
125s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b0994eba2a00e1f2433fec1c31126d3.exe
Size

689KB
MD5

9b0994eba2a00e1f2433fec1c31126d3
SHA1

8a2c9e1fb49cb178a32f07bc2af86123ce521b6d
SHA256

72c29d9c210edf63cf98a767dee021dc7f006ece99121bbd1962742e17aa892f
SHA512

6bc8eefa3e19ef123a9c9a03f72fa8dd6fe8e44bbbe844ace619f0c00ad0d96366e03a2189b78e98ecb4f524582aba6179d8f931f83b32a9d469827143af0008
SSDEEP

6144:oJ82asJfnlAJwT71w+DtmVlTWw8oY4JHfTcE6sTNrCMHJeTBh+:oOWJ8wT7SoScCY4JHLcElTNm8eT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	9b0994eba2a00e1f2433fec1c31126d3.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LEbnApl\MWfGLbQm.dll	svchost.exe
File created	C:\Windows\SysWOW64\YEEmSSL\BNbYtwSd.dll	svchost.exe
File created	C:\Windows\SysWOW64\uVSMHvE\KouKMP.dll	svchost.exe
File created	C:\Windows\SysWOW64\KThQdiI\bpYRvQQ.dll	svchost.exe
File created	C:\Windows\SysWOW64\wOuMhLm\EFBFuLIL.dll	svchost.exe
File created	C:\Windows\SysWOW64\yHJgdkb\JfJdsG.dll	svchost.exe
File created	C:\Windows\SysWOW64\cNeBTIx\YMtnTBi.dll	svchost.exe
File created	C:\Windows\SysWOW64\cNeBTIx\BMxHgBV.dll	svchost.exe
File created	C:\Windows\SysWOW64\IauLVOU\qbFhChkm.dll	svchost.exe
File created	C:\Windows\SysWOW64\AenWWEG\ILxGURHN.dll	svchost.exe
File created	C:\Windows\SysWOW64\VOtNeGu\NUFwie.dll	svchost.exe
File created	C:\Windows\SysWOW64\LEbnApl\FCVDJtG.dll	svchost.exe
File created	C:\Windows\SysWOW64\AenWWEG\sqrDIMKJ.dll	svchost.exe
File created	C:\Windows\SysWOW64\giDeHLuY\BtaqLXVh.dll	svchost.exe
File created	C:\Windows\SysWOW64\BNXcmpU\kiUlxXC.dll	svchost.exe
File created	C:\Windows\SysWOW64\KThQdiI\QPPaQHnh.dll	svchost.exe
File created	C:\Windows\SysWOW64\FdLjELs\QwRllvmT.dll	svchost.exe
File created	C:\Windows\SysWOW64\uVSMHvE\oaXCGx.dll	svchost.exe
File created	C:\Windows\SysWOW64\ROQJGso\TEXvTEUt.dll	svchost.exe
File created	C:\Windows\SysWOW64\SqNUHiN\dGRHfs.dll	svchost.exe
File created	C:\Windows\SysWOW64\jVJCGNO\GdQPWK.dll	svchost.exe
File created	C:\Windows\SysWOW64\rhLqIIy\QTSTdJGR.dll	svchost.exe
File created	C:\Windows\SysWOW64\FdLjELs\EJFGoTM.dll	svchost.exe
File created	C:\Windows\SysWOW64\hAGmLVh\UPtaejo.dll	svchost.exe
File created	C:\Windows\SysWOW64\cHCsBei\rRLPOu.dll	svchost.exe
File created	C:\Windows\SysWOW64\SqNUHiN\OIWyyKoy.dll	svchost.exe
File created	C:\Windows\SysWOW64\rSIKjYU\uXndfYW.dll	svchost.exe
File created	C:\Windows\SysWOW64\cHCsBei\tXXsqqRi.dll	svchost.exe
File created	C:\Windows\SysWOW64\ROQJGso\gLJAqr.dll	svchost.exe
File created	C:\Windows\SysWOW64\rSIKjYU\FWypdWTG.dll	svchost.exe
File created	C:\Windows\SysWOW64\BNXcmpU\Hlilrds.dll	svchost.exe
File created	C:\Windows\SysWOW64\EdtATKJ\NvsAOMaL.dll	svchost.exe
File created	C:\Windows\SysWOW64\phoFNgK\kXfbTih.dll	svchost.exe
File created	C:\Windows\SysWOW64\phoFNgK\HlwgUMj.dll	svchost.exe
File created	C:\Windows\SysWOW64\YEEmSSL\xxyfKb.dll	svchost.exe
File created	C:\Windows\SysWOW64\yHJgdkb\IHevKDnf.dll	svchost.exe
File created	C:\Windows\SysWOW64\hAGmLVh\ICnUiWGB.dll	svchost.exe
File created	C:\Windows\SysWOW64\rhLqIIy\sSgNdrH.dll	svchost.exe
File created	C:\Windows\SysWOW64\wOuMhLm\lNGQLUux.dll	svchost.exe
File created	C:\Windows\SysWOW64\VOtNeGu\DplaVj.dll	svchost.exe
File created	C:\Windows\SysWOW64\giDeHLuY\GdphyST.dll	svchost.exe
File created	C:\Windows\SysWOW64\IauLVOU\tltAMFH.dll	svchost.exe
File created	C:\Windows\SysWOW64\jVJCGNO\XGjrpI.dll	svchost.exe
File created	C:\Windows\SysWOW64\EdtATKJ\hhwbOCj.dll	svchost.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tnUcrCvA\XYldXkYl.dll	svchost.exe
File created	C:\Program Files (x86)\gQJKVvBM\nQlNxRW.dll	svchost.exe
File created	C:\Program Files (x86)\nHQCDva\RVbrgVB.dll	svchost.exe
File created	C:\Program Files (x86)\HNPSKtOI\PLNnpxPI.dll	svchost.exe
File created	C:\Program Files (x86)\REOpkaKh\gkyDPX.dll	svchost.exe
File created	C:\Program Files (x86)\LUpatsfU\bODCQJ.dll	svchost.exe
File created	C:\Program Files (x86)\vQAbSKE\RyOGHhEN.dll	svchost.exe
File created	C:\Program Files (x86)\LUpatsfU\qeUhUW.dll	svchost.exe
File created	C:\Program Files (x86)\DOeeKlUb\xWeaCqbk.dll	svchost.exe
File created	C:\Program Files (x86)\YUETUoaG\LkKXdqS.dll	svchost.exe
File created	C:\Program Files (x86)\HNPSKtOI\YEXJNG.dll	svchost.exe
File created	C:\Program Files (x86)\DTRQvfkM\GojxJY.dll	svchost.exe
File created	C:\Program Files (x86)\VfKgikVa\oXyRPle.dll	svchost.exe
File created	C:\Program Files (x86)\WSvjQdbg\aBLHWfx.dll	svchost.exe
File created	C:\Program Files (x86)\hhJLxuPF\lLthLr.dll	svchost.exe
File created	C:\Program Files (x86)\MEFshiQB\xkrWEVJd.dll	svchost.exe
File created	C:\Program Files (x86)\cSGmbEj\UQKRLJX.dll	svchost.exe
File created	C:\Program Files (x86)\REOpkaKh\yCmTpd.dll	svchost.exe
File created	C:\Program Files (x86)\VfKgikVa\YjXEYo.dll	svchost.exe
File created	C:\Program Files (x86)\YUETUoaG\LkSmxt.dll	svchost.exe
File created	C:\Program Files (x86)\DTRQvfkM\WirqcAYL.dll	svchost.exe
File created	C:\Program Files (x86)\kGNaWxRa\xlWWGLBl.dll	svchost.exe
File created	C:\Program Files (x86)\AVDWTXdp\hhaPtBF.dll	svchost.exe
File created	C:\Program Files (x86)\BXhAvAnl\KJVDUdw.dll	svchost.exe
File created	C:\Program Files (x86)\tnUcrCvA\oxMeSy.dll	svchost.exe
File created	C:\Program Files (x86)\EvWoOpsF\doVoObk.dll	svchost.exe
File created	C:\Program Files (x86)\EvWoOpsF\aPKJBKq.dll	svchost.exe
File created	C:\Program Files (x86)\keDEKFok\WtQvNK.dll	svchost.exe
File created	C:\Program Files (x86)\MEFshiQB\AaLBfg.dll	svchost.exe
File created	C:\Program Files (x86)\bsYvRULI\aUmgyH.dll	svchost.exe
File created	C:\Program Files (x86)\DOeeKlUb\BFvSyGRU.dll	svchost.exe
File created	C:\Program Files (x86)\keDEKFok\QnGTiB.dll	svchost.exe
File created	C:\Program Files (x86)\kGNaWxRa\dNTRnuO.dll	svchost.exe
File created	C:\Program Files (x86)\nHQCDva\hoWcRuy.dll	svchost.exe
File created	C:\Program Files (x86)\bsYvRULI\fIvdHUf.dll	svchost.exe
File created	C:\Program Files (x86)\vQAbSKE\CfBVJRr.dll	svchost.exe
File created	C:\Program Files (x86)\AVDWTXdp\MYiyVavn.dll	svchost.exe
File created	C:\Program Files (x86)\BXhAvAnl\VnkHeIj.dll	svchost.exe
File created	C:\Program Files (x86)\gQJKVvBM\RMOQiC.dll	svchost.exe
File created	C:\Program Files (x86)\WSvjQdbg\TDJJkWyt.dll	svchost.exe
File created	C:\Program Files (x86)\hhJLxuPF\sMYVRtXV.dll	svchost.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\aTEjTIYH\LqSmCYE.dll	svchost.exe
File created	C:\Windows\UNcsTqjv\OCXdXlM.dll	svchost.exe
File opened for modification	C:\Windows\PnnYspR\pGftYwlG.dll	svchost.exe
File created	C:\Windows\xyIwVfQo\sWpDSCPR.dll	svchost.exe
File created	C:\Windows\WeMtouYt\UHpwLOQ.dll	svchost.exe
File created	C:\Windows\aTEjTIYH\tNBljBn.dll	svchost.exe
File created	C:\Windows\NHFanmDd\wReHKSH.dll	svchost.exe
File created	C:\Windows\CqqJTRpq\BCxmoRwG.dll	svchost.exe
File created	C:\Windows\WeMtouYt\BqAiEOU.dll	svchost.exe
File created	C:\Windows\HXPNnmqN\IVKyxBAo.dll	svchost.exe
File created	C:\Windows\huhHlwdG\jakEqi.dll	svchost.exe
File created	C:\Windows\puPIPRR.dll	9b0994eba2a00e1f2433fec1c31126d3.exe
File created	C:\Windows\MDjqaTsI\GvqJbGm.dll	svchost.exe
File created	C:\Windows\RWhRjGtr\VCTfTN.dll	svchost.exe
File created	C:\Windows\RWhRjGtr\HEObRTh.dll	svchost.exe
File created	C:\Windows\wMOdtuaR\idUwNPYE.dll	svchost.exe
File created	C:\Windows\BPUMOeJE\FQsyAmtx.dll	svchost.exe
File created	C:\Windows\BPUMOeJE\Sliims.dll	svchost.exe
File created	C:\Windows\MDjqaTsI\opmXftu.dll	svchost.exe
File created	C:\Windows\iriEsfbe\cGTSbO.dll	svchost.exe
File created	C:\Windows\wMOdtuaR\yvOHwgIN.dll	svchost.exe
File created	C:\Windows\huhHlwdG\EIpMBjn.dll	svchost.exe
File created	C:\Windows\UNcsTqjv\bnPmaT.dll	svchost.exe
File created	C:\Windows\KEBMYIy.dll	svchost.exe
File created	C:\Windows\CqqJTRpq\xPqsPvyr.dll	svchost.exe
File created	C:\Windows\iriEsfbe\VRSxJHp.dll	svchost.exe
File created	C:\Windows\NHFanmDd\iBiMrOIp.dll	svchost.exe
File created	C:\Windows\tHTINUok\EEgIcT.dll	svchost.exe
File created	C:\Windows\HXPNnmqN\GFshNf.dll	svchost.exe
File created	C:\Windows\PnnYspR\pGftYwlG.dll	svchost.exe
File created	C:\Windows\xyIwVfQo\oStXPO.dll	svchost.exe
File created	C:\Windows\tHTINUok\unkUnUHW.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2896	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2896	1712	9b0994eba2a00e1f2433fec1c31126d3.exe	28
PID 1712 wrote to memory of 2896	1712	9b0994eba2a00e1f2433fec1c31126d3.exe	28
PID 1712 wrote to memory of 2896	1712	9b0994eba2a00e1f2433fec1c31126d3.exe	28
PID 1712 wrote to memory of 2896	1712	9b0994eba2a00e1f2433fec1c31126d3.exe	28

C:\Users\Admin\AppData\Local\Temp\9b0994eba2a00e1f2433fec1c31126d3.exe
"C:\Users\Admin\AppData\Local\Temp\9b0994eba2a00e1f2433fec1c31126d3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\qJXfJY\svchost.exe
  "C:\Users\Admin\AppData\Local\qJXfJY\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\qJXfJY\svchost.exe

Filesize
696KB

MD5
b3b948c1b14775b4e182c11924c1a9ba

SHA1
4ea1bca40fa6afc8d6de751d72d5e7c1c81d145e

SHA256
f36254f1269ac1c1e228fe0df7039975924795523e15426b3a0a173b3ecf173b

SHA512
89eeddd81f9e3979b4d95981885d39c8329b7a616197709b694f198bac30097c284223c4a6aea9b85d12995a6cb2c4bfd0bc33466ae7ec75f7c61a8853d24753

Download Submit
memory/1712-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1712-7-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1712-10-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1712-14-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2896-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2896-520-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download