3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 12:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7610b29b6fc96eddab572de747c98c8.exe
Size

60KB
MD5

b7610b29b6fc96eddab572de747c98c8
SHA1

327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9
SHA256

3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8
SHA512

8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c
SSDEEP

1536:uNRQcTTxRNwicE6GT0aXHTDA9Rb8CzWj1o4z:YQcVwgT0a3AXbvWj1o4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	sript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sript.exe	b7610b29b6fc96eddab572de747c98c8.exe
File opened for modification	C:\Windows\SysWOW64\sript.exe	b7610b29b6fc96eddab572de747c98c8.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2556	taskkill.exe
2560	taskkill.exe
2572	taskkill.exe
2460	taskkill.exe
2336	taskkill.exe
2596	taskkill.exe
2896	taskkill.exe
2584	taskkill.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2904	b7610b29b6fc96eddab572de747c98c8.exe
2904	b7610b29b6fc96eddab572de747c98c8.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe
3052	sript.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	b7610b29b6fc96eddab572de747c98c8.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1660	2904	b7610b29b6fc96eddab572de747c98c8.exe	28
PID 2904 wrote to memory of 1660	2904	b7610b29b6fc96eddab572de747c98c8.exe	28
PID 2904 wrote to memory of 1660	2904	b7610b29b6fc96eddab572de747c98c8.exe	28
PID 2904 wrote to memory of 1660	2904	b7610b29b6fc96eddab572de747c98c8.exe	28
PID 2904 wrote to memory of 2128	2904	b7610b29b6fc96eddab572de747c98c8.exe	29
PID 2904 wrote to memory of 2128	2904	b7610b29b6fc96eddab572de747c98c8.exe	29
PID 2904 wrote to memory of 2128	2904	b7610b29b6fc96eddab572de747c98c8.exe	29
PID 2904 wrote to memory of 2128	2904	b7610b29b6fc96eddab572de747c98c8.exe	29
PID 2904 wrote to memory of 2940	2904	b7610b29b6fc96eddab572de747c98c8.exe	30
PID 2904 wrote to memory of 2940	2904	b7610b29b6fc96eddab572de747c98c8.exe	30
PID 2904 wrote to memory of 2940	2904	b7610b29b6fc96eddab572de747c98c8.exe	30
PID 2904 wrote to memory of 2940	2904	b7610b29b6fc96eddab572de747c98c8.exe	30
PID 2904 wrote to memory of 2960	2904	b7610b29b6fc96eddab572de747c98c8.exe	31
PID 2904 wrote to memory of 2960	2904	b7610b29b6fc96eddab572de747c98c8.exe	31
PID 2904 wrote to memory of 2960	2904	b7610b29b6fc96eddab572de747c98c8.exe	31
PID 2904 wrote to memory of 2960	2904	b7610b29b6fc96eddab572de747c98c8.exe	31
PID 3052 wrote to memory of 2116	3052	sript.exe	37
PID 3052 wrote to memory of 2116	3052	sript.exe	37
PID 3052 wrote to memory of 2116	3052	sript.exe	37
PID 3052 wrote to memory of 2116	3052	sript.exe	37
PID 2960 wrote to memory of 2560	2960	cmd.exe	39
PID 2960 wrote to memory of 2560	2960	cmd.exe	39
PID 2960 wrote to memory of 2560	2960	cmd.exe	39
PID 2960 wrote to memory of 2560	2960	cmd.exe	39
PID 3052 wrote to memory of 2628	3052	sript.exe	40
PID 3052 wrote to memory of 2628	3052	sript.exe	40
PID 3052 wrote to memory of 2628	3052	sript.exe	40
PID 3052 wrote to memory of 2628	3052	sript.exe	40
PID 3052 wrote to memory of 2632	3052	sript.exe	41
PID 3052 wrote to memory of 2632	3052	sript.exe	41
PID 3052 wrote to memory of 2632	3052	sript.exe	41
PID 3052 wrote to memory of 2632	3052	sript.exe	41
PID 1660 wrote to memory of 2572	1660	cmd.exe	38
PID 1660 wrote to memory of 2572	1660	cmd.exe	38
PID 1660 wrote to memory of 2572	1660	cmd.exe	38
PID 1660 wrote to memory of 2572	1660	cmd.exe	38
PID 3052 wrote to memory of 2712	3052	sript.exe	43
PID 3052 wrote to memory of 2712	3052	sript.exe	43
PID 3052 wrote to memory of 2712	3052	sript.exe	43
PID 3052 wrote to memory of 2712	3052	sript.exe	43
PID 2128 wrote to memory of 2584	2128	cmd.exe	45
PID 2128 wrote to memory of 2584	2128	cmd.exe	45
PID 2128 wrote to memory of 2584	2128	cmd.exe	45
PID 2128 wrote to memory of 2584	2128	cmd.exe	45
PID 2940 wrote to memory of 2556	2940	cmd.exe	46
PID 2940 wrote to memory of 2556	2940	cmd.exe	46
PID 2940 wrote to memory of 2556	2940	cmd.exe	46
PID 2940 wrote to memory of 2556	2940	cmd.exe	46
PID 2904 wrote to memory of 2188	2904	b7610b29b6fc96eddab572de747c98c8.exe	49
PID 2904 wrote to memory of 2188	2904	b7610b29b6fc96eddab572de747c98c8.exe	49
PID 2904 wrote to memory of 2188	2904	b7610b29b6fc96eddab572de747c98c8.exe	49
PID 2904 wrote to memory of 2188	2904	b7610b29b6fc96eddab572de747c98c8.exe	49
PID 2116 wrote to memory of 2460	2116	cmd.exe	50
PID 2116 wrote to memory of 2460	2116	cmd.exe	50
PID 2116 wrote to memory of 2460	2116	cmd.exe	50
PID 2116 wrote to memory of 2460	2116	cmd.exe	50
PID 2628 wrote to memory of 2896	2628	cmd.exe	51
PID 2628 wrote to memory of 2896	2628	cmd.exe	51
PID 2628 wrote to memory of 2896	2628	cmd.exe	51
PID 2628 wrote to memory of 2896	2628	cmd.exe	51
PID 2712 wrote to memory of 2336	2712	cmd.exe	52
PID 2712 wrote to memory of 2336	2712	cmd.exe	52
PID 2712 wrote to memory of 2336	2712	cmd.exe	52
PID 2712 wrote to memory of 2336	2712	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe
"C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B7610B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2188

C:\Windows\SysWOW64\sript.exe
C:\Windows\SysWOW64\sript.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2336

Network

DNS

yxjz.3322.org

sript.exe

Remote address:

8.8.8.8:53

Request

yxjz.3322.org

IN A

Response
DNS

yxjz.3322.org

sript.exe

Remote address:

8.8.8.8:53

Request

yxjz.3322.org

IN A

No results found

8.8.8.8:53

yxjz.3322.org

dns

sript.exe

118 B
123 B
2
1

DNS Request

yxjz.3322.org

DNS Request

yxjz.3322.org

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sript.exe

Filesize
60KB

MD5
b7610b29b6fc96eddab572de747c98c8

SHA1
327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9

SHA256
3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

SHA512
8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c

Download Submit