e77400ec0dc1935c9c71a4c40ee228ed0ce90a66e4c57a07eb7028da19377194

Analysis

max time kernel
131s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b99252dbebac2fe3e26bf459e34bf79.exe
Size

1.1MB
MD5

9b99252dbebac2fe3e26bf459e34bf79
SHA1

225b22fab848494721f147c63bdb332f0a1090d4
SHA256

e77400ec0dc1935c9c71a4c40ee228ed0ce90a66e4c57a07eb7028da19377194
SHA512

dbafae020ac7544998e5c6ccc0197abc1677fc6adc0fb04f40ddbafab872b9532dbb990e730a10ac84c2dac4022dba85d4d539df224dcf5e63e1ab1af599c223
SSDEEP

24576:x9JQmXPHNDwova20ob9kik1gyNKOf5TOXRnGHnqo:Cm/tDwova20mFxsKONe0X

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	9b99252dbebac2fe3e26bf459e34bf79.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	9b99252dbebac2fe3e26bf459e34bf79.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	Server_Setup.exe
2800	3.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	9b99252dbebac2fe3e26bf459e34bf79.exe
2684	Server_Setup.exe
2684	Server_Setup.exe
2684	Server_Setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\3.exe	Server_Setup.exe
File opened for modification	C:\Windows\3.exe	Server_Setup.exe
File created	C:\Windows\uninstal.bat	Server_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	9b99252dbebac2fe3e26bf459e34bf79.exe
2180	9b99252dbebac2fe3e26bf459e34bf79.exe
2180	9b99252dbebac2fe3e26bf459e34bf79.exe
2180	9b99252dbebac2fe3e26bf459e34bf79.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	9b99252dbebac2fe3e26bf459e34bf79.exe
Token: SeDebugPrivilege	2180	9b99252dbebac2fe3e26bf459e34bf79.exe
Token: SeDebugPrivilege	2180	9b99252dbebac2fe3e26bf459e34bf79.exe
Token: SeDebugPrivilege	2180	9b99252dbebac2fe3e26bf459e34bf79.exe
Token: SeDebugPrivilege	2684	Server_Setup.exe
Token: SeDebugPrivilege	2800	3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	3.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2684	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	28
PID 2180 wrote to memory of 2692	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	30
PID 2180 wrote to memory of 2692	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	30
PID 2180 wrote to memory of 2692	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	30
PID 2180 wrote to memory of 2692	2180	9b99252dbebac2fe3e26bf459e34bf79.exe	30
PID 2800 wrote to memory of 604	2800	3.exe	32
PID 2800 wrote to memory of 604	2800	3.exe	32
PID 2800 wrote to memory of 604	2800	3.exe	32
PID 2800 wrote to memory of 604	2800	3.exe	32
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33
PID 2684 wrote to memory of 3036	2684	Server_Setup.exe	33

C:\Users\Admin\AppData\Local\Temp\9b99252dbebac2fe3e26bf459e34bf79.exe
"C:\Users\Admin\AppData\Local\Temp\9b99252dbebac2fe3e26bf459e34bf79.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt
  2⤵
  - Deletes itself
  PID:2692

C:\Windows\3.exe
C:\Windows\3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt

Filesize
190B

MD5
d5634c7b5b13f1f02d9c6c573e054c5f

SHA1
8fa9e2944a96da60c679f7b4ce6217a0b16494db

SHA256
64e4b983b3811ff1dc13e21b72ab68f48208adb9e9eb1dd14c4bdacd804735b2

SHA512
9cf5513e8fd29db41fa2ebbfc1efa36bdbb9e044987a43c940b87484d37f6117c214c0541597b72bd069ee10801bfe4e1d0a725ebb5dbd93098a964472da3f06

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
62910137f26a7556f8455428a5552794

SHA1
ccc0eff43a5d1a26a6bf96f592782b1089249cf6

SHA256
f419ad8b229fc195a23cb31b21c444030053738baa5e1de8cc158746a318cedd

SHA512
a8a1a4b661caf26d13469ddd0fa54b275d668caa7846f53b4af4f6b3a1558c0689c9f8280fc1fa843671cb7638ce0bcc78cfe97035d1522781b805aa2bfcf912

Download Submit
\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
b0d17bbe3fb95cd8633048e79900915e

SHA1
74cb5b4b73ae17ebb2417f8475a99e2b9724d219

SHA256
2901e9c50d188bb84b48dedcd2ee85b62d0606b50cd8812343892c9386d245b7

SHA512
0b548c3043381192bdf6a3a37a83ec24cf6ad0429a35eebc8e270e8d47330b466628334f9ec5290d07228613b2ee487c4c643d98422346a4ff11787aea06eeb7

Download Submit
memory/2180-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-1-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2180-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2180-24-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2180-26-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2180-25-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2180-23-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2180-22-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2180-21-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2180-20-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2180-19-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2180-18-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2180-17-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2180-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2180-15-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2180-14-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2180-13-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2180-12-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2180-11-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/2180-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2180-9-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2180-8-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2180-7-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2180-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2180-27-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2180-4-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2180-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2180-29-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-30-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-32-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-31-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-33-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-34-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-36-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-35-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-37-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-38-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-39-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-40-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-41-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-42-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-43-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-45-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-48-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-49-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-50-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-51-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-52-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-53-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-54-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-55-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-56-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-57-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-59-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-58-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2180-60-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2180-65-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2180-64-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2180-63-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2180-62-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2180-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2180-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-80-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2684-98-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2800-89-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download