b8902673031de93eaea9e696a7dda24acd683fe04aae22f3407ee9b7174df214

Analysis

max time kernel
137s
max time network
136s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b86d68f54e891638695da4a592b23d6d.exe
Size

321KB
MD5

b86d68f54e891638695da4a592b23d6d
SHA1

8f54a53314228b0ad879a4c5531e857d10bec9aa
SHA256

b8902673031de93eaea9e696a7dda24acd683fe04aae22f3407ee9b7174df214
SHA512

90b84de7111ab8ad50b1643f3a319dab668d2d70e8a87536a0db99de13ca5918349b8aecae7fc84a090e813a00364f98242018f8750214ec23c0d976add08567
SSDEEP

6144:SSEyY12J5XmzPDn3SUl6RexWcr7kIwWoJf:Sxy/5X+bCHsxWcrYIwz5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1840	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1540	b86d68f54e891638695da4a592b23d6d.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pkLhxuyR\bVLoLq\UoUdCmTi.dll	svchost.exe
File created	C:\Windows\SysWOW64\XRpJPHBj\dTXgEJkC.dll	svchost.exe
File created	C:\Windows\SysWOW64\TvgXGjnU\XWQChh.dll	svchost.exe
File created	C:\Windows\SysWOW64\xvOLXn\XyOKKE.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\bcwThaK\UQxlruvA.dll	svchost.exe
File created	C:\Windows\SysWOW64\tAIwDFUf\RsGGamHq.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\lSDwkJnt\RemolCY.dll	svchost.exe
File created	C:\Windows\SysWOW64\OVUBEb\gsOkqQjp.dll	svchost.exe
File created	C:\Windows\SysWOW64\tRfmFNc\oUSKPyf.dll	svchost.exe
File created	C:\Windows\SysWOW64\oWuVrNH\lLSSTIoE.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\XDSWLnMI\JFNGUeMT.dll	svchost.exe
File created	C:\Windows\SysWOW64\pFKbGFff\omhIpR.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\iIrKcH\WvVQCBhK.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\TSfWHXi\dWfdCXj.dll	svchost.exe
File created	C:\Windows\SysWOW64\oWuVrNH\Kcgnxvxt.dll	svchost.exe
File created	C:\Windows\SysWOW64\uJvcPk\oswcGAp.dll	svchost.exe
File created	C:\Windows\SysWOW64\mSgjCX\WrGDbop.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\NxLfXI\pGFwKo.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\SXVHHx\JGYLUq.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\dCNKtn\KTIrhgLL.dll	svchost.exe
File created	C:\Windows\SysWOW64\sQjFuE\vNcnfI.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\lTWAbT\GQRtrU.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\TSfWHXi\TAylqh.dll	svchost.exe
File created	C:\Windows\SysWOW64\TvgXGjnU\CsMRXOL.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\lTWAbT\stpFVU.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\bVLoLq\QQAVuYRQ.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\qJJLMVN\SwDlUQ.dll	svchost.exe
File created	C:\Windows\SysWOW64\xvOLXn\VBVFLFhu.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\dCNKtn\QmEnXuXX.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\RKGwdL\UMVkDWLF.dll	svchost.exe
File created	C:\Windows\SysWOW64\RXNxOG\jQHKxft.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\kFwFnpb\WvWToHb.dll	svchost.exe
File created	C:\Windows\SysWOW64\LKpaaP\WPaeyuxQ.dll	svchost.exe
File created	C:\Windows\SysWOW64\SRcTKT\TFYLcbFs.dll	svchost.exe
File created	C:\Windows\SysWOW64\TCTtUa\KkvRoTQQ.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\XDWCIpKJ\vpKGDC.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\lSDwkJnt\IAEQDHO.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\UdqvVpH\esMjmf.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\NDolNX\wIWMmEe.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\kFwFnpb\BKNIsml.dll	svchost.exe
File created	C:\Windows\SysWOW64\aFCodmCe\pIBPGxu.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\WeHOEqP\QmDsrjdp.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\NDolNX\qreQixN.dll	svchost.exe
File created	C:\Windows\SysWOW64\SRcTKT\BgqlFP.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\bcwThaK\QHdCvUNK.dll	svchost.exe
File created	C:\Windows\SysWOW64\ijGksB\TcXKRDj.dll	svchost.exe
File created	C:\Windows\SysWOW64\cnMWGXET\hLuGXPI.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\svchost.exe	b86d68f54e891638695da4a592b23d6d.exe
File created	C:\Windows\SysWOW64\LKpaaP\HpkNVTCj.dll	svchost.exe
File created	C:\Windows\SysWOW64\WsNlEj\nBAQoo.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\HWNsUv\hNCiNQuh.dll	svchost.exe
File created	C:\Windows\SysWOW64\uJvcPk\OOnLOlN.dll	svchost.exe
File created	C:\Windows\SysWOW64\TCTtUa\qijwHb.dll	svchost.exe
File created	C:\Windows\SysWOW64\ijGksB\evaIXd.dll	svchost.exe
File created	C:\Windows\SysWOW64\sQjFuE\hMFqRP.dll	svchost.exe
File created	C:\Windows\SysWOW64\aFCodmCe\pmMpEwp.dll	svchost.exe
File created	C:\Windows\SysWOW64\WsNlEj\jHNNNvDR.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\HWNsUv\roLVfxY.dll	svchost.exe
File created	C:\Windows\SysWOW64\GvtTKPRE\DyFoPWW.dll	svchost.exe
File created	C:\Windows\SysWOW64\OVUBEb\fTCTexF.dll	svchost.exe
File created	C:\Windows\SysWOW64\pkLhxuyR\XDSWLnMI\tUcvKp.dll	svchost.exe
File created	C:\Windows\SysWOW64\pFKbGFff\wWIqOeO.dll	svchost.exe
File created	C:\Windows\SysWOW64\PRqRhrAX\LAYqqc.dll	svchost.exe
File created	C:\Windows\SysWOW64\cnMWGXET\IBEvgrC.dll	svchost.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GOgHxM\QAhBhQTt.dll	svchost.exe
File created	C:\Program Files (x86)\piWwAwJi\pJFFcVQ.dll	svchost.exe
File created	C:\Program Files (x86)\geLoOFgf\DSpbIyqU.dll	svchost.exe
File created	C:\Program Files (x86)\aDgSWI\BTtlBS.dll	svchost.exe
File created	C:\Program Files (x86)\thhLdF\caYtkIKn.dll	svchost.exe
File created	C:\Program Files (x86)\DayJFuHg\uapJKUyx.dll	svchost.exe
File created	C:\Program Files (x86)\jrSSYhi\luxmCbM.dll	svchost.exe
File created	C:\Program Files (x86)\DjKofe\IjctDmW.dll	svchost.exe
File created	C:\Program Files (x86)\geLoOFgf\LJTByv.dll	svchost.exe
File created	C:\Program Files (x86)\OOKUvQXw\YlJMAGT.dll	svchost.exe
File created	C:\Program Files (x86)\dOTyXgg\wcEVjFp.dll	svchost.exe
File created	C:\Program Files (x86)\dOTyXgg\iydeoaRe.dll	svchost.exe
File created	C:\Program Files (x86)\dYbsvL\MqkbGeYk.dll	svchost.exe
File created	C:\Program Files (x86)\jrSSYhi\AODEJkX.dll	svchost.exe
File created	C:\Program Files (x86)\bgFUQL\IIkddj.dll	svchost.exe
File created	C:\Program Files (x86)\DayJFuHg\JOfVFHfh.dll	svchost.exe
File created	C:\Program Files (x86)\pDVHYEN\xEaQueVg.dll	svchost.exe
File created	C:\Program Files (x86)\GOgHxM\OGjYtg.dll	svchost.exe
File created	C:\Program Files (x86)\DjKofe\qlGQWO.dll	svchost.exe
File created	C:\Program Files (x86)\tHTyIo\HfWfIeIC.dll	svchost.exe
File created	C:\Program Files (x86)\McRJJp\yKvGqdW.dll	svchost.exe
File created	C:\Program Files (x86)\OhpVGa\FERPdC.dll	svchost.exe
File created	C:\Program Files (x86)\OhpVGa\BYdsJtMc.dll	svchost.exe
File created	C:\Program Files (x86)\PIXrYK\pLXrLbk.dll	svchost.exe
File created	C:\Program Files (x86)\McRJJp\YbNSee.dll	svchost.exe
File created	C:\Program Files (x86)\aDgSWI\VvgOBrd.dll	svchost.exe
File created	C:\Program Files (x86)\uTSeCgcP\vRIVMmL.dll	svchost.exe
File created	C:\Program Files (x86)\pDVHYEN\QdvgvG.dll	svchost.exe
File created	C:\Program Files (x86)\dYbsvL\teUdJvBt.dll	svchost.exe
File created	C:\Program Files (x86)\IcJdNy\dGSnCY.dll	svchost.exe
File created	C:\Program Files (x86)\IRkcIG\RWSfQPS.dll	svchost.exe
File created	C:\Program Files (x86)\IRkcIG\fVbGJBax.dll	svchost.exe
File created	C:\Program Files (x86)\uTSeCgcP\qREuMC.dll	svchost.exe
File created	C:\Program Files (x86)\OOKUvQXw\QVlTshVE.dll	svchost.exe
File created	C:\Program Files (x86)\bgFUQL\PtjbpE.dll	svchost.exe
File created	C:\Program Files (x86)\PIXrYK\VNJcFm.dll	svchost.exe
File created	C:\Program Files (x86)\piWwAwJi\NJLxDu.dll	svchost.exe
File created	C:\Program Files (x86)\PdotSG\fMLpXvsl.dll	svchost.exe
File created	C:\Program Files (x86)\PdotSG\SAJlhQ.dll	svchost.exe
File created	C:\Program Files (x86)\IcJdNy\RwkeBQ.dll	svchost.exe
File created	C:\Program Files (x86)\tHTyIo\KmOGmo.dll	svchost.exe
File created	C:\Program Files (x86)\thhLdF\PEFOQI.dll	svchost.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\elXTNly\gUkWcy.dll	svchost.exe
File created	C:\Windows\SBcEAE\FnfFFto.dll	svchost.exe
File created	C:\Windows\bCYVpQLR\bJIRkJD.dll	svchost.exe
File created	C:\Windows\CLOG.txt	b86d68f54e891638695da4a592b23d6d.exe
File created	C:\Windows\GxSxbiX\bpEExI.dll	svchost.exe
File created	C:\Windows\YEfDcU\XvGUgF.dll	svchost.exe
File created	C:\Windows\xEXvKKV\KGAhOIu.dll	svchost.exe
File created	C:\Windows\xEXvKKV\LTQRjOrF.dll	svchost.exe
File created	C:\Windows\AnnCcNAK\HBXgnK.dll	svchost.exe
File created	C:\Windows\mNLNVCD\kaAWFL.dll	svchost.exe
File created	C:\Windows\FUaDQe\DVuWLED.dll	svchost.exe
File created	C:\Windows\FUaDQe\pPmyGh.dll	svchost.exe
File created	C:\Windows\OVVflFP\BsHDbCA.dll	svchost.exe
File created	C:\Windows\GxSxbiX\DKLKrW.dll	svchost.exe
File created	C:\Windows\leYMDns\GULEsS.dll	svchost.exe
File created	C:\Windows\ieEjBga\FOSfdHY.dll	svchost.exe
File created	C:\Windows\wswAfk\uRxSHeC.dll	svchost.exe
File created	C:\Windows\SKRIVHV.dll	svchost.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File opened for modification	C:\Windows\tDOCDxTf\EmQahH.dll	svchost.exe
File created	C:\Windows\KYqXyta\mTUDtAC.dll	svchost.exe
File created	C:\Windows\OVVflFP\rtbEfR.dll	svchost.exe
File created	C:\Windows\SBcEAE\EQaEwM.dll	svchost.exe
File created	C:\Windows\WxpstJL\vMqVxF.dll	svchost.exe
File created	C:\Windows\KYqXyta\MbFiPrG.dll	svchost.exe
File created	C:\Windows\STWaHj\qywQFuKd.dll	svchost.exe
File created	C:\Windows\AnnCcNAK\QJcwCT.dll	svchost.exe
File created	C:\Windows\wswAfk\yUEWxO.dll	svchost.exe
File created	C:\Windows\tDOCDxTf\EmQahH.dll	svchost.exe
File created	C:\Windows\STWaHj\wdMpmLiu.dll	svchost.exe
File created	C:\Windows\leYMDns\bxFjDWDc.dll	svchost.exe
File created	C:\Windows\IvMDHK\BImalI.dll	svchost.exe
File created	C:\Windows\elXTNly\DTEEmU.dll	svchost.exe
File created	C:\Windows\ieEjBga\bsTgNV.dll	svchost.exe
File created	C:\Windows\IvMDHK\kEAkqC.dll	svchost.exe
File created	C:\Windows\eTFFIdQ.dll	b86d68f54e891638695da4a592b23d6d.exe
File created	C:\Windows\mNLNVCD\oDqnNvx.dll	svchost.exe
File created	C:\Windows\WxpstJL\khFYuDH.dll	svchost.exe
File created	C:\Windows\YEfDcU\MEmradf.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1840	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1840	1540	b86d68f54e891638695da4a592b23d6d.exe	28
PID 1540 wrote to memory of 1840	1540	b86d68f54e891638695da4a592b23d6d.exe	28
PID 1540 wrote to memory of 1840	1540	b86d68f54e891638695da4a592b23d6d.exe	28
PID 1540 wrote to memory of 1840	1540	b86d68f54e891638695da4a592b23d6d.exe	28

C:\Users\Admin\AppData\Local\Temp\b86d68f54e891638695da4a592b23d6d.exe
"C:\Users\Admin\AppData\Local\Temp\b86d68f54e891638695da4a592b23d6d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\pkLhxuyR\svchost.exe
  "C:\Windows\SysWOW64\pkLhxuyR\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CLOG.txt

Filesize
4KB

MD5
01d1b026576165699ba843541f632acd

SHA1
8314711ea8ae703b95a6e466d6c02d7619b397c7

SHA256
68982f600f3b6a024fefb5bfdf4186878ed473ab116085dccdff28f01b1c3fc5

SHA512
a3b01613bac31edeb2e4a7cc7156d094e2a3139be3c245fbf273ccef02f582205ea017967f3d7e24f5a44a510d7aaa4c93f64100f4ddf21dfbd142f9bee7f986

Download Submit
C:\Windows\CLOG.txt

Filesize
166B

MD5
efe7ba16309c9853a71aba0a7c898200

SHA1
86d567fd60a9a7a7f2fa33fb2eae219989a68ea4

SHA256
96ca1487ee5686a6bac7d62834f9d81f4c603150b7df925e38f464e810b09bc0

SHA512
b06bca150ff02eea7065d229bb18e0404dae197e10be4e8a3c491b29fe76a3d6fa9f10b3d8002ea731837fe7a2ed6c57d49f0f157e3e96f464c6949b48914648

Download Submit
C:\Windows\CLOG.txt

Filesize
2KB

MD5
fbd38036d307abf3839626525109ec47

SHA1
52153a9475808f536bcb9e1b48cfec7430d1df0c

SHA256
6bba7419e91da2d3c5e800e427427573f88090cd3b2e3922aead51f432908dbd

SHA512
36cb785adc065b7dc6225ce97cee2fe8eb04c059e36d6b697e94fc4ba4d1b23d916326fb4de16f4fec3705b0c19ea5d69826b7cc8dd7fea53a4bb2c0aa6e9e78

Download Submit
\Windows\SysWOW64\pkLhxuyR\svchost.exe

Filesize
328KB

MD5
55663107136befd601d11813ca8a8974

SHA1
0b5b52f310dd1be02bf947b48010e21a4e52f7fc

SHA256
10209acc979ba0fb30cf1164718fa5d1d19ebb2a8936eb0ba02cd7fd7e1699cf

SHA512
e75dae0b80febef216d067e902af1c386245dcf93457884145457dd4e3f29b54be6ce8f9384a81122aa18c43636893648908b60dd11e3c6d8395844d9e84bab3

Download Submit
memory/1540-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1540-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1540-9-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1840-20-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-16-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-28-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-38-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1840-14-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1840-846-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download