b6fc3232775c877804074bcfb4fdb7ace61748e5c2591873eed7f63096cc6d01

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5ebf6f911bbf76036a03b0eeba90cc3.exe
Size

424KB
MD5

c5ebf6f911bbf76036a03b0eeba90cc3
SHA1

b4364d9293f084ce4b24be0294ec625805302e24
SHA256

b6fc3232775c877804074bcfb4fdb7ace61748e5c2591873eed7f63096cc6d01
SHA512

0b28bacb4327f2c6fa8221d7c1bbd2ff11d0812c863e742ddd885df28f71689c4703f04d0c361dda1c5013480fd582cbde84883e569e6e6ee402e7cf94d9ea20
SSDEEP

12288:20WrjA0qrLld527hX8di7dhq5a9VcNxb943FcSMHI:lW2rZv2qd8q5icNgcSM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	rundll32.dll

Loads dropped DLL 1 IoCs

pid	Process
1244	rundll32.dll

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\rundll32.dll	c5ebf6f911bbf76036a03b0eeba90cc3.exe
File opened for modification	C:\Program Files (x86)\Messenger\rundll32.dll	c5ebf6f911bbf76036a03b0eeba90cc3.exe
File created	C:\Program Files (x86)\Messenger\EEGSMB.DAT	c5ebf6f911bbf76036a03b0eeba90cc3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	c5ebf6f911bbf76036a03b0eeba90cc3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe
Token: SeDebugPrivilege	1244	rundll32.dll

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	rundll32.dll

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1244	rundll32.dll
1244	rundll32.dll

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29
PID 2100 wrote to memory of 2600	2100	c5ebf6f911bbf76036a03b0eeba90cc3.exe	29

C:\Users\Admin\AppData\Local\Temp\c5ebf6f911bbf76036a03b0eeba90cc3.exe
"C:\Users\Admin\AppData\Local\Temp\c5ebf6f911bbf76036a03b0eeba90cc3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2600

C:\Program Files (x86)\Messenger\rundll32.dll
"C:\Program Files (x86)\Messenger\rundll32.dll"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Messenger\rundll32.dll

Filesize
424KB

MD5
c5ebf6f911bbf76036a03b0eeba90cc3

SHA1
b4364d9293f084ce4b24be0294ec625805302e24

SHA256
b6fc3232775c877804074bcfb4fdb7ace61748e5c2591873eed7f63096cc6d01

SHA512
0b28bacb4327f2c6fa8221d7c1bbd2ff11d0812c863e742ddd885df28f71689c4703f04d0c361dda1c5013480fd582cbde84883e569e6e6ee402e7cf94d9ea20

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
33462c4330f5816481d51e61525be06b

SHA1
ed01a34d971f5f4d0c7195a6fdb75728ec4e69ce

SHA256
92dad536f0ece1dfdd67359db98fdfb1684a00e0491b693914e62406fe3d7ed4

SHA512
281f3d839148b97b6ddb443a21cd12d4811bf633db325a0941e9895f1f1743756369fde400ad3513b9365468842e079b861e7f56808ae84c6d2cbd8d3f34de45

Download Submit
\Program Files (x86)\Messenger\EEGSMB.DAT

Filesize
74KB

MD5
921ec7a2efbe833bb3f696346ba70771

SHA1
258fda3ee0f8bc10b890cc26a174c38ac4a4e039

SHA256
8d025f7e7cc2e3df001f92ddc4cd442e9bfbf56cb954c7b28fca33467c1003ba

SHA512
4f9fe6d75b594eb2fc3747759ebc552d2f2de294b4c68850a57350ea29bf3fb4ee033b4be2d82b472493ac9b1dcc594fe4e3a2398e3cae0b26d83dfe95a4ae1f

Download Submit
memory/1244-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1244-17-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1244-19-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1244-21-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1244-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1244-23-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1244-31-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1244-37-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/2100-16-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2100-0-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download