db77492fa4252b11118eb3cf1d38683bf36cba4d6775aa68f88455a875e97d8c

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe
Size

466KB
MD5

a2fcaf8a8eb2c4eb8e105a1c96ef7396
SHA1

5b9c7b5d2fe92e32c25c670829652d9e9450a0a8
SHA256

db77492fa4252b11118eb3cf1d38683bf36cba4d6775aa68f88455a875e97d8c
SHA512

16210652f02666bafed97a22eb4f15f3db32f0d8c6ac9731137ebc1b6ddb4452dbc8cab129808074892cc0b374d00936b8dc080a8c713ee66187bb7705c503f8
SSDEEP

6144:4uaFmrZC9YOtyRkPyn9uA5TQfJAGUImt9SV72iEeTBR0:49WZC9txPyQAKUImTj5eTv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oTfIdUL\jYOkLA.dll	svchost.exe
File created	C:\Windows\SysWOW64\GTBVKh\DIBwUsp.dll	svchost.exe
File created	C:\Windows\SysWOW64\wcthQT\JmMUfNp.dll	svchost.exe
File created	C:\Windows\SysWOW64\NoRSbAq\XitsVLL.dll	svchost.exe
File created	C:\Windows\SysWOW64\SfjGIIR\HgTDGYb.dll	svchost.exe
File created	C:\Windows\SysWOW64\xMKqYO\nuchLgYP.dll	svchost.exe
File created	C:\Windows\SysWOW64\bNVqHVOQ\icPedXcr.dll	svchost.exe
File created	C:\Windows\SysWOW64\BBHJvPeg\OUuJjN.dll	svchost.exe
File created	C:\Windows\SysWOW64\dUxwEM\iusAOFH.dll	svchost.exe
File created	C:\Windows\SysWOW64\uqjFeo\VFkWWMr.dll	svchost.exe
File created	C:\Windows\SysWOW64\pLBnFc\TKVNmwRm.dll	svchost.exe
File created	C:\Windows\SysWOW64\lcBTlq\UYGISUt.dll	svchost.exe
File created	C:\Windows\SysWOW64\GJsBRd\jhmTMk.dll	svchost.exe
File created	C:\Windows\SysWOW64\cRPvDGv\WulvFxM.dll	svchost.exe
File created	C:\Windows\SysWOW64\JggAsI\qpeCtg.dll	svchost.exe
File created	C:\Windows\SysWOW64\GWWOqQ\mHiQewBc.dll	svchost.exe
File created	C:\Windows\SysWOW64\JsOCTn\dNxIYY.dll	svchost.exe
File created	C:\Windows\SysWOW64\XCvmMa\EWXuQhsY.dll	svchost.exe
File created	C:\Windows\SysWOW64\qrPbqN\qwNwevJ.dll	svchost.exe
File created	C:\Windows\SysWOW64\dnEWMXl\toGAaB.dll	svchost.exe
File created	C:\Windows\SysWOW64\QRXHDmFB\BwNITNgU.dll	svchost.exe
File created	C:\Windows\SysWOW64\pDQfbEJK\JxoDVPeN.dll	svchost.exe
File created	C:\Windows\SysWOW64\AQqARs\cDrJlEpp.dll	svchost.exe
File created	C:\Windows\SysWOW64\sOFIUYD\YIEERDOO.dll	svchost.exe
File created	C:\Windows\SysWOW64\eHNPthTC\agYLMx.dll	svchost.exe
File created	C:\Windows\SysWOW64\aYJUkJ\HIeNmd.dll	svchost.exe
File created	C:\Windows\SysWOW64\OUPCsSHn\yMLWYq.dll	svchost.exe
File created	C:\Windows\SysWOW64\QnVfeLir\GcYTWO.dll	svchost.exe
File created	C:\Windows\SysWOW64\CXtUQvqB\JhhiXL.dll	svchost.exe
File created	C:\Windows\SysWOW64\tRJRtI\AhQeKCgK.dll	svchost.exe
File created	C:\Windows\SysWOW64\JnvhRBs\ROGCsRGT.dll	svchost.exe
File created	C:\Windows\SysWOW64\IHXVAwJ\qLwRJg.dll	svchost.exe
File created	C:\Windows\SysWOW64\EmWUKis\MVQDKVO.dll	svchost.exe
File created	C:\Windows\SysWOW64\vkwkMPWb\MLTvpkG.dll	svchost.exe
File created	C:\Windows\SysWOW64\teiskxOR\DxTPbuH.dll	svchost.exe
File created	C:\Windows\SysWOW64\qtCEMn\JJBGkK.dll	svchost.exe
File created	C:\Windows\SysWOW64\bEabaI\NaxgrnJY.dll	svchost.exe
File created	C:\Windows\SysWOW64\QPHWnVCl\IXAMaAF.dll	svchost.exe
File created	C:\Windows\SysWOW64\sNDYKO\eNAUSTY.dll	svchost.exe
File created	C:\Windows\SysWOW64\AUPMCFr\GFfxtkG.dll	svchost.exe
File created	C:\Windows\SysWOW64\MFmCSSlD\jeXduvWb.dll	svchost.exe
File created	C:\Windows\SysWOW64\LKIsqA\AjLJah.dll	svchost.exe
File created	C:\Windows\SysWOW64\wcnjkTY\vYMsRBA.dll	svchost.exe
File created	C:\Windows\SysWOW64\NnpEmhqv\WqgSVEe.dll	svchost.exe
File created	C:\Windows\SysWOW64\vkwkMPWb\qAQhwxhk.dll	svchost.exe
File created	C:\Windows\SysWOW64\uqkocG\oTINtOkF.dll	svchost.exe
File created	C:\Windows\SysWOW64\mwadXMJM\PvWYrbvA.dll	svchost.exe
File created	C:\Windows\SysWOW64\dSJUja\jFSeXWDp.dll	svchost.exe
File created	C:\Windows\SysWOW64\KYRESu\lVTWnsK.dll	svchost.exe
File created	C:\Windows\SysWOW64\JggAsI\MVOPsF.dll	svchost.exe
File created	C:\Windows\SysWOW64\IwmojbG\gXbvJn.dll	svchost.exe
File created	C:\Windows\SysWOW64\HlqVlrSr\SEyLNo.dll	svchost.exe
File created	C:\Windows\SysWOW64\eeYqRsAk\GskHaq.dll	svchost.exe
File created	C:\Windows\SysWOW64\xMKqYO\NHJSDcK.dll	svchost.exe
File created	C:\Windows\SysWOW64\stbaOi\kAuXEMAN.dll	svchost.exe
File created	C:\Windows\SysWOW64\KAyLsosF\OXYsDRM.dll	svchost.exe
File created	C:\Windows\SysWOW64\nhuIsJHk\rrJlXaf.dll	svchost.exe
File created	C:\Windows\SysWOW64\tWiyeqf\jbCSCdoP.dll	svchost.exe
File created	C:\Windows\SysWOW64\LOGvUv\eYACATaG.dll	svchost.exe
File created	C:\Windows\SysWOW64\MRbGLofl\DpXYYt.dll	svchost.exe
File created	C:\Windows\SysWOW64\Mfxxowei\iPpNCfQv.dll	svchost.exe
File created	C:\Windows\SysWOW64\gPgoxIvR\LKGYIEna.dll	svchost.exe
File created	C:\Windows\SysWOW64\KysRMiUT\RUMmyK.dll	svchost.exe
File created	C:\Windows\SysWOW64\tRJRtI\mXhjEeE.dll	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pIVwgG\QSqjApLH.dll	svchost.exe
File created	C:\Program Files (x86)\OXCMiP\PyJHBEea.dll	svchost.exe
File created	C:\Program Files (x86)\CaHEpRyw\BWSELXtJ.dll	svchost.exe
File created	C:\Program Files (x86)\nvxYJGRl\uVEqBS.dll	svchost.exe
File created	C:\Program Files (x86)\FLPwWcq\StfmYUy.dll	svchost.exe
File created	C:\Program Files (x86)\fUtByS\OoQNTC.dll	svchost.exe
File created	C:\Program Files (x86)\IUpQpXKk\yVULdJX.dll	svchost.exe
File created	C:\Program Files (x86)\HUrNOKpG\PPpyfrfJ.dll	svchost.exe
File created	C:\Program Files (x86)\ugBmwv\gUnnYPcp.dll	svchost.exe
File created	C:\Program Files (x86)\GxsyViD\MMmppd.dll	svchost.exe
File created	C:\Program Files (x86)\qSbqGTa\jaSNut.dll	svchost.exe
File created	C:\Program Files (x86)\rOpUorTr\HgfRiDCq.dll	svchost.exe
File created	C:\Program Files (x86)\LEbqqUL\wjIrYCo.dll	svchost.exe
File created	C:\Program Files (x86)\JSLFdRf\wVKgukJ.dll	svchost.exe
File created	C:\Program Files (x86)\thTfJOhS\FFYRdLe.dll	svchost.exe
File created	C:\Program Files (x86)\cTVOfWgA\QKGsniA.dll	svchost.exe
File created	C:\Program Files (x86)\KvgQHxqK\QYFwVe.dll	svchost.exe
File created	C:\Program Files (x86)\Gduvqww\bEWJWeFE.dll	svchost.exe
File created	C:\Program Files (x86)\VFAlmUWR\WjPLnToh.dll	svchost.exe
File created	C:\Program Files (x86)\PkbwRj\ltjqKgns.dll	svchost.exe
File created	C:\Program Files (x86)\bMfcUEU\MPEdDmCS.dll	svchost.exe
File created	C:\Program Files (x86)\bEAGILD\BGcSknB.dll	svchost.exe
File created	C:\Program Files (x86)\PlfMrEW\dctjQO.dll	svchost.exe
File created	C:\Program Files (x86)\SkdlASBj\hEvuMrC.dll	svchost.exe
File created	C:\Program Files (x86)\vAoEoY\KoCxjer.dll	svchost.exe
File created	C:\Program Files (x86)\uWYJSMq\bdABnF.dll	svchost.exe
File created	C:\Program Files (x86)\alYONOj\JoXeLFRC.dll	svchost.exe
File created	C:\Program Files (x86)\dUrRVH\YsBBCYb.dll	svchost.exe
File created	C:\Program Files (x86)\CnOEepc\QQQSMeDp.dll	svchost.exe
File created	C:\Program Files (x86)\GBCECGOp\eWWFmUUB.dll	svchost.exe
File created	C:\Program Files (x86)\SRbgTUQG\bItYSWHI.dll	svchost.exe
File created	C:\Program Files (x86)\ixlBsoI\ERwrQMVk.dll	svchost.exe
File created	C:\Program Files (x86)\iXSTuq\nMgmnhV.dll	svchost.exe
File created	C:\Program Files (x86)\eGofPb\jWkOIYdX.dll	svchost.exe
File created	C:\Program Files (x86)\RCmMwfcc\aIDebAB.dll	svchost.exe
File created	C:\Program Files (x86)\EsPkgc\SxlpUo.dll	svchost.exe
File created	C:\Program Files (x86)\KSUKPIS\sInGXJG.dll	svchost.exe
File created	C:\Program Files (x86)\IFPFlUo\gwSXUcMt.dll	svchost.exe
File created	C:\Program Files (x86)\pLRCHKwg\EQfMDR.dll	svchost.exe
File created	C:\Program Files (x86)\fHjqpQkt\cXxlDM.dll	svchost.exe
File created	C:\Program Files (x86)\lmlnGDla\HskkMhtG.dll	svchost.exe
File created	C:\Program Files (x86)\VCgGfQXo\avIbui.dll	svchost.exe
File created	C:\Program Files (x86)\IdfDtTd\IcHDUtC.dll	svchost.exe
File created	C:\Program Files (x86)\WBIvwuCQ\SFoXFkwu.dll	svchost.exe
File created	C:\Program Files (x86)\TWKIJY\xRnKuc.dll	svchost.exe
File created	C:\Program Files (x86)\ktnKTA\fvNqQm.dll	svchost.exe
File created	C:\Program Files (x86)\hCwKMV\QbTpuO.dll	svchost.exe
File created	C:\Program Files (x86)\gRuyoR\uWJONbT.dll	svchost.exe
File created	C:\Program Files (x86)\VqeeHPm\peCBeQ.dll	svchost.exe
File created	C:\Program Files (x86)\TgVRAoO\AoPuET.dll	svchost.exe
File created	C:\Program Files (x86)\CPAAExwK\HroYlb.dll	svchost.exe
File created	C:\Program Files (x86)\HCKUnRs\wVGxSvRA.dll	svchost.exe
File created	C:\Program Files (x86)\UNOtXNKc\SqfSUR.dll	svchost.exe
File created	C:\Program Files (x86)\tqDOOY\HCknarj.dll	svchost.exe
File created	C:\Program Files (x86)\TSOhKeEu\PIWGTE.dll	svchost.exe
File created	C:\Program Files (x86)\clsRAo\xLMsNi.dll	svchost.exe
File created	C:\Program Files (x86)\sEkuOV\AqJsXBEl.dll	svchost.exe
File created	C:\Program Files (x86)\ugJYKyv\pqrKCeMw.dll	svchost.exe
File created	C:\Program Files (x86)\cQYwIr\SjNkWno.dll	svchost.exe
File created	C:\Program Files (x86)\ROnAKnes\yHlHKO.dll	svchost.exe
File created	C:\Program Files (x86)\OOOCQiF\KtBXNeD.dll	svchost.exe
File created	C:\Program Files (x86)\QTmiGdi\LXnCLJp.dll	svchost.exe
File created	C:\Program Files (x86)\POmaqIbG\gWWIXe.dll	svchost.exe
File created	C:\Program Files (x86)\iGwwIuH\fxKCLN.dll	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\hJGXRXG\jPWIfjLu.dll	svchost.exe
File created	C:\Windows\LNFtBWDc\DwgNHs.dll	svchost.exe
File created	C:\Windows\NYFCUnn\atfSnFYG.dll	svchost.exe
File created	C:\Windows\uVcRhdVq\usrAiMSE.dll	svchost.exe
File created	C:\Windows\jyYMGWko\eTgeRK.dll	svchost.exe
File created	C:\Windows\kRmqYuIN\TEBgBPlR.dll	svchost.exe
File created	C:\Windows\CasHNWcx\cTcsCSGH.dll	svchost.exe
File created	C:\Windows\WtJtbk\fuBNqoDy.dll	svchost.exe
File created	C:\Windows\VDcEhPV\JIEYAx.dll	svchost.exe
File created	C:\Windows\hOQEeo\Irunvl.dll	svchost.exe
File created	C:\Windows\KPXIRfi\iexiDVY.dll	svchost.exe
File created	C:\Windows\Qejumj\oBdbaOt.dll	svchost.exe
File created	C:\Windows\mdSxKDO\QPQUIlk.dll	svchost.exe
File created	C:\Windows\jKMFAJ\XMEwMN.dll	svchost.exe
File created	C:\Windows\sCURFVU\qErtUw.dll	svchost.exe
File created	C:\Windows\WeHNMB\IbNXJCHi.dll	svchost.exe
File created	C:\Windows\rbkWIx\niYUdKfB.dll	svchost.exe
File created	C:\Windows\IvWwwPlc\CNrsXFY.dll	svchost.exe
File created	C:\Windows\NxwTKqO\mqFoCcyw.dll	svchost.exe
File created	C:\Windows\BxsOMDw\dRgWCeG.dll	svchost.exe
File created	C:\Windows\sGJXKMOK\CrdBpvja.dll	svchost.exe
File created	C:\Windows\GSuESjAs\OkEtQm.dll	svchost.exe
File created	C:\Windows\xsiWjKR\erBKKc.dll	svchost.exe
File created	C:\Windows\rnekjB\TEDwHY.dll	svchost.exe
File created	C:\Windows\lgAEIVOW\uxIRER.dll	svchost.exe
File created	C:\Windows\LPUVXO\nDsESm.dll	svchost.exe
File created	C:\Windows\VDpPOIA\ugQNQQ.dll	svchost.exe
File created	C:\Windows\PORIpVm\FQsUxe.dll	svchost.exe
File created	C:\Windows\iTuxMtB\uKxOsuim.dll	svchost.exe
File created	C:\Windows\FevORVJN\RdGUXAK.dll	svchost.exe
File created	C:\Windows\xHYDQXGB\OASyiD.dll	svchost.exe
File created	C:\Windows\JIkTDUkt\bUIsIqIh.dll	svchost.exe
File created	C:\Windows\uBIuqaT\WWCviA.dll	svchost.exe
File created	C:\Windows\YEaJyYB\oFheOk.dll	svchost.exe
File created	C:\Windows\SVAEVfJx\BeKacN.dll	svchost.exe
File created	C:\Windows\LhwiPdCo\tpoAPpke.dll	svchost.exe
File created	C:\Windows\GHVCas\mQjExqs.dll	svchost.exe
File created	C:\Windows\YMNlSmD\cRbJnX.dll	svchost.exe
File created	C:\Windows\WoCGgBX\CSaWugj.dll	svchost.exe
File created	C:\Windows\EgVcHgKM\UvXGuNmW.dll	svchost.exe
File created	C:\Windows\eoIRnXv\tXcKCQEl.dll	svchost.exe
File created	C:\Windows\NxFJOVBq\bDtwVpJD.dll	svchost.exe
File created	C:\Windows\LkewGX\JonWDSSA.dll	svchost.exe
File created	C:\Windows\WjepvqS\pgtTUNwl.dll	svchost.exe
File created	C:\Windows\djeLIBD\EHvelBpI.dll	svchost.exe
File created	C:\Windows\cBUuvT\wXlIfBa.dll	svchost.exe
File created	C:\Windows\FRgaqd\LfBqSFv.dll	svchost.exe
File created	C:\Windows\EFSCuGLF\xWaYkUF.dll	svchost.exe
File created	C:\Windows\ukVWIO\NtfcHp.dll	svchost.exe
File created	C:\Windows\TwcUDr\NYigVYL.dll	svchost.exe
File created	C:\Windows\SuFCdI\THkLhG.dll	svchost.exe
File created	C:\Windows\dAMLfH\aKLpvEfc.dll	svchost.exe
File created	C:\Windows\ddtLTgA\oqTAde.dll	svchost.exe
File created	C:\Windows\wWQPhQ\YNqCgOr.dll	svchost.exe
File created	C:\Windows\PJRwUU\YqWBwOx.dll	svchost.exe
File created	C:\Windows\YrcVDr\qLlIHe.dll	svchost.exe
File created	C:\Windows\lPRkKMou\URsmYsen.dll	svchost.exe
File created	C:\Windows\QehbtqLv\uQCGMbl.dll	svchost.exe
File created	C:\Windows\RgmUWP\ckavsfRQ.dll	svchost.exe
File created	C:\Windows\SuFCdI\MOteiKmf.dll	svchost.exe
File created	C:\Windows\NlixeK\RsUOvma.dll	svchost.exe
File created	C:\Windows\NirMIIEk\cycHpvm.dll	svchost.exe
File created	C:\Windows\Caxmjf\PuUQoqND.dll	svchost.exe
File created	C:\Windows\AIhPgL\GWRgVUG.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2480	2908	a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe	28
PID 2908 wrote to memory of 2480	2908	a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe	28
PID 2908 wrote to memory of 2480	2908	a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe	28
PID 2908 wrote to memory of 2480	2908	a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe	28

C:\Users\Admin\AppData\Local\Temp\a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe
"C:\Users\Admin\AppData\Local\Temp\a2fcaf8a8eb2c4eb8e105a1c96ef7396.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\TklvMD\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\TklvMD\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TklvMD\svchost.exe

Filesize
473KB

MD5
dc6b99b6df0acfeadad640304bd09346

SHA1
a5b1c52be48c1312735c9fe358b6673e3c5c6e3a

SHA256
9b9de21f4bdffbe7a090520b50e6fb8cf8fc8dea03a83f55e9451ebe7f7df89d

SHA512
db3d2e491e753e38b69fbed279c8b3262b35ca53cf3d5ace80acda92e2937667185005b3b73ab70ec62b0650b827dd3d73cf841a875f1c26d79e011ac23dc7ed

Download Submit
C:\Windows\CLOG.txt

Filesize
4KB

MD5
6590356f08767175b326fa0044503613

SHA1
f65e9052e31c3dcd448ada93ca0e2b84cfa13bac

SHA256
b9165832a1af6284199a255912c8b4164229a0cff00f0b5492c1fa1318480824

SHA512
0e3db3982fa543d7168714cf630b3cee7479ab1e39552e4a9247180054cb472ae0666f3fba78563c778890821368a06c7c66b76b0a5feeedcb513344757a100c

Download Submit
C:\Windows\CLOG.txt

Filesize
165B

MD5
c793d783a0c30dcfe67ec95eeb92a09f

SHA1
bc6062149d1198fd1f6b1b8b1339fa0d8866d326

SHA256
bd987e2d929f46a2373f761352642678282d6e39ca48130144ff87be31966bc6

SHA512
57b9af1676f5c685573f44016529831e5decb01047409cfcb2d7f4b7673edbd26eca5d733ba7aad415f5373ccbce5d266a058aef3f502d7333fdde2eefecebe9

Download Submit
memory/2480-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2480-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2908-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2908-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download