5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
Size

3.6MB
MD5

49310d364e10a63e7f40f9b8c9f184d1
SHA1

0e303af9e4a8daf79cef7a08d8e40973f439f3bb
SHA256

5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84
SHA512

5f641a5a625219ff4962dbc870306992c2e60734a754526931141115aa0c4b1357ccacfc48a0792083a1f0562bbac7e8931f91c6547c39968b06bd301fa110d9
SSDEEP

98304:wMaNKYpz9pWoHo2Ko0rbR2SAmnsMmXP68BRcGBVH5p6d:GKUI80h2Sbf78BRtBV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	7956.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\delSexe.vbs	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
File opened for modification	C:\Windows\SysWOW64\delSexe.vbs	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
2420	7956.exe
2420	7956.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2420	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	28
PID 2228 wrote to memory of 2420	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	28
PID 2228 wrote to memory of 2420	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	28
PID 2228 wrote to memory of 2420	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	28
PID 2228 wrote to memory of 2604	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	29
PID 2228 wrote to memory of 2604	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	29
PID 2228 wrote to memory of 2604	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	29
PID 2228 wrote to memory of 2604	2228	5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe	29

C:\Users\Admin\AppData\Local\Temp\5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe
"C:\Users\Admin\AppData\Local\Temp\5cf349a66449e06179cae7b93405d6234584bedbc534d76e30e61a2654713b84.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\7956.exe
  "C:\Users\Admin\AppData\Local\Temp\7956.exe" yes
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\delSexe.vbs"
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delSexe.vbs

Filesize
448B

MD5
35f429c72b4595f6443567ee29290ac0

SHA1
23502362dcbb41ca5f6a25e53f71ba2d73627be2

SHA256
df25ea1ea03fd77d80d6e093147861f2327522ad15397963bec545a95909ee7a

SHA512
f2e32ba051f2dfb8a40894055c637cf24ecfb8a55b481f9f62b8a4b3b9c79a5bb320a18fd71032ac1ae5b372d03bd8f65c5a271db722ebdab94b21349bb4175d

Download Submit
\Users\Admin\AppData\Local\Temp\7956.exe

Filesize
3.6MB

MD5
71b7de1f98d296f9fa17a3c49cc90518

SHA1
e3de7a470934403852c24441aa6c4981c43cbdde

SHA256
271e33b50c78e92b9f81980197a10ad36a28d68d86c8efd7b0f439c4e735a986

SHA512
0947b7bc61d67281e53b5d462ea8309e86788895cbeaf607e619eac2acc53bf9bde3ff6cb1c629a729bf4e9f0244de9034504d5cddbe6202772e334479cb0888

Download Submit
memory/2228-0-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download