3a83363df452ecd7a61944e0b3d0f4a5f74f3486a51f7333f0f1f57313c5f9b8

Analysis

max time kernel
120s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc1208590516a05d2f06acf6330d2278.exe
Size

276KB
MD5

bc1208590516a05d2f06acf6330d2278
SHA1

1271cd7385ed584c3ea1e2b15b18bf462507dc85
SHA256

3a83363df452ecd7a61944e0b3d0f4a5f74f3486a51f7333f0f1f57313c5f9b8
SHA512

b19bbc6fd15993da49d8234d00b7c9a1bda9016b052d57bb291ae279505bd1aea982811972fa3c5591f3214c97e913840e4f8250793cdecace851ca3d0317320
SSDEEP

3072:+UfJ8XcRk4go4CDIuLgxMgIGrmeUcsTOQMOji7LuPGB5bqJfoMMVdPfy:+UfJ8XFxcLKMtG6eUJyQMOjiSo5wDsPq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	yuycbv.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	cmd.exe
2584	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2512	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2584	2480	bc1208590516a05d2f06acf6330d2278.exe	27
PID 2480 wrote to memory of 2584	2480	bc1208590516a05d2f06acf6330d2278.exe	27
PID 2480 wrote to memory of 2584	2480	bc1208590516a05d2f06acf6330d2278.exe	27
PID 2480 wrote to memory of 2584	2480	bc1208590516a05d2f06acf6330d2278.exe	27
PID 2584 wrote to memory of 2644	2584	cmd.exe	29
PID 2584 wrote to memory of 2644	2584	cmd.exe	29
PID 2584 wrote to memory of 2644	2584	cmd.exe	29
PID 2584 wrote to memory of 2644	2584	cmd.exe	29
PID 2584 wrote to memory of 2512	2584	cmd.exe	30
PID 2584 wrote to memory of 2512	2584	cmd.exe	30
PID 2584 wrote to memory of 2512	2584	cmd.exe	30
PID 2584 wrote to memory of 2512	2584	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\bc1208590516a05d2f06acf6330d2278.exe
"C:\Users\Admin\AppData\Local\Temp\bc1208590516a05d2f06acf6330d2278.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\oxdowds.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\yuycbv.exe
    "C:\Users\Admin\AppData\Local\Temp\yuycbv.exe"
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwnivk.bat

Filesize
156B

MD5
d3141907c998198b17f7a9e095beb939

SHA1
ec57d46fc6ab1d5bf471a60704f53672559c8f4d

SHA256
b20860fd3727f586914cc48213a597718aa14e4d20a75d58e6394c4a4a8a4e0b

SHA512
fe234940d894f48e4f63190d7ed6e9bfb2baecd4051161594cfe46e59fd92cfe148f383266652548019bdf4c61d67129893023651399fe3cde941764cae35e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxdowds.bat

Filesize
124B

MD5
f4e15f07acbce6e44725401b52f8763d

SHA1
88c51e63869c78414a4df8ec040e945a66a70a28

SHA256
91b18c35fd173c9924d7b9b041c6209fead522c3e58d7ff1bbf6bd5d1f3361cd

SHA512
12ad6a9a2eacb42a2dc93f4089e9c80f4dc1d0f72201218995868a28865ae8e9c028ce0285ad1f176b2541850eaf0e52ac7db2745570b15c37e8ae0cb5fd5d48

Download Submit
\Users\Admin\AppData\Local\Temp\yuycbv.exe

Filesize
184KB

MD5
14df9da9525d45f48e95d15865da3c03

SHA1
710ca1cef55330f50cb2d9e3c2d7b362a385819e

SHA256
6ba40910553f26c64bc013c32c12e7d04441fa38c2a1c29b164ee65795bdb849

SHA512
71180503dd447e10aef33436f9b02e92c54a46c08539fd635d201d8f110e06663943ddf1afd5922f3a1e5f31bf790966c75703a9a0e8b982c1d21e37090faa45

Download Submit