a9aeb3985f09af2b1cc3ffc253980e7f1132c9356848aff1e05d882437b7053e

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 13:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9bc2eb9678c25c1be1deaa09d03bf46e.exe
Size

396KB
MD5

9bc2eb9678c25c1be1deaa09d03bf46e
SHA1

7adcf4d4d2d3720e6fee995c1e616f8650c979fd
SHA256

a9aeb3985f09af2b1cc3ffc253980e7f1132c9356848aff1e05d882437b7053e
SHA512

829e69fe64e406a660798a70d0b86ef6266fb76800ee0dcdeb454148139a8523fcbbcf565aae86db0d6d9cbe2074c7354e18b6e7f99ce142f792ebb699af87fe
SSDEEP

6144:jYTYO8SJlhl0TloWctfxzqbDqVJdzBst4nrSdn5uDJR8c:mYO7PhslovfxzqI/NRb

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2496	botfile.exe
2788	tmp.exe
2648	service.exe

Loads dropped DLL 4 IoCs

pid	Process
1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe
1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe
2496	botfile.exe
2496	botfile.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "service.exe"	tmp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\botfile.exe	9bc2eb9678c25c1be1deaa09d03bf46e.exe
File opened for modification	C:\windows\SysWOW64\botfile.exe	botfile.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\service.exe	tmp.exe
File opened for modification	C:\Windows\service.exe	tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe
2496	botfile.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2496	1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe	28
PID 1056 wrote to memory of 2496	1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe	28
PID 1056 wrote to memory of 2496	1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe	28
PID 1056 wrote to memory of 2496	1056	9bc2eb9678c25c1be1deaa09d03bf46e.exe	28
PID 2496 wrote to memory of 2788	2496	botfile.exe	29
PID 2496 wrote to memory of 2788	2496	botfile.exe	29
PID 2496 wrote to memory of 2788	2496	botfile.exe	29
PID 2496 wrote to memory of 2788	2496	botfile.exe	29
PID 2788 wrote to memory of 2648	2788	tmp.exe	30
PID 2788 wrote to memory of 2648	2788	tmp.exe	30
PID 2788 wrote to memory of 2648	2788	tmp.exe	30
PID 2788 wrote to memory of 2648	2788	tmp.exe	30

C:\Users\Admin\AppData\Local\Temp\9bc2eb9678c25c1be1deaa09d03bf46e.exe
"C:\Users\Admin\AppData\Local\Temp\9bc2eb9678c25c1be1deaa09d03bf46e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\windows\SysWOW64\botfile.exe
  C:\windows\system32\botfile.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\service.exe
      "C:\Windows\service.exe"
      4⤵
      Executes dropped EXE
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
39KB

MD5
2e85d4fc8d052018ac34873807da1edb

SHA1
7a4fb57be2b7c3240bc1bff637c689f7dece6f4e

SHA256
36cc89ec60bd39796006cf5aaca38a8fcd7f7a2baea4babd48b7a37262ce7fca

SHA512
c646377375ed43ae174fa96c93a46144ed4292023d35657ced8dcc0400ec9132d0e05b0bceb99345268a0eb63c66a945cf80b5ea36b1d174547d7f5a798febf0

Download Submit
\Windows\SysWOW64\botfile.exe

Filesize
50KB

MD5
dae317d0aea2b47548d13cf42f5449c8

SHA1
7493131dcf8f72670f4f0e8eefe01c9a3f9b95b7

SHA256
d17a006ad258a5a61338c2e90edd0248533b3c3ae9f87f2444e6a23eba5dd850

SHA512
88dd15fedab92f0892119692b59fa86401d49eb34c7ba259fb04cd0164cf41c10959555768f9f51b42e072b23bef006e4c18c03958d47a053ec00971ea39ba49

Download Submit
memory/1056-4-0x0000000001E20000-0x0000000001E2C000-memory.dmp

Filesize
48KB

Download
memory/1056-25-0x0000000001E20000-0x0000000001E2C000-memory.dmp

Filesize
48KB

Download
memory/2496-11-0x0000000000400000-0x000000000040BCD5-memory.dmp

Filesize
47KB

Download
memory/2496-14-0x0000000000400000-0x000000000040BCD5-memory.dmp

Filesize
47KB

Download
memory/2496-24-0x0000000000400000-0x000000000040BCD5-memory.dmp

Filesize
47KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads