eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe
Size

9.6MB
MD5

e06429917939f835a787155befa4d5c7
SHA1

3cf7021f659046ca4cadac4ec80659b8de8a4f1c
SHA256

eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93
SHA512

5e2f05074d0efb4b6923776e524a959294015c27e4b8d38802a5d826e5f624c6796d73ce8690dc70c0ae954e29c237eed89dcb1a960bba14a481f5500b52904c
SSDEEP

196608:uLkq/+p4VDnpZfZKzpP/D0KprR1dLfzr2oOLck7XPOBZ3nwjeiqkXBshcv:ow49TAz9fBdLn2oUck7XPENnwjeKXtv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe
2908	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2908	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe
2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe
2908	autorun.exe
2908	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28
PID 2180 wrote to memory of 2908	2180	eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe	28

C:\Users\Admin\AppData\Local\Temp\eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe
"C:\Users\Admin\AppData\Local\Temp\eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\eb05bad8b0e397dca98bb0ac869923a544c0af18e1dd688fc540ca8ab5d5db93.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\10_1339.Btn

Filesize
10KB

MD5
ff0f7e75e01bbc7893ba284707b14339

SHA1
2970d617585059a6db37ffe033e538dc5a3a2e39

SHA256
3b4e90c7179dfb8595659bc92f46653040106505ea868310989a7f66331fc457

SHA512
d074c9da4eb162981a89d1b493d41170d5bb876f91cc4118f4525ae909e7f737e6a68e79f05c5efa0f76e0d1c2b94a8d3fc1120abc81a137e1f1d885c480eefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Kapat.Btn

Filesize
5KB

MD5
5d71b5433ad775244ee80f656e887153

SHA1
934a6e503fbce689100b441088f5e673a367f4d7

SHA256
4602bedf773f6814fb34e58e1d2f1d91acdade4d7803ea38b2ec0df23e709780

SHA512
79809e515df8ba91e38a52dd9ffb1d1506c69ec248f9161f97a570c80553404d2744686597be7b1e2ab0f9d6466170f126fd54149898e2febb98b686370a53e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Kucult-1.Btn

Filesize
3KB

MD5
d564a841bb23d31dc3c762c791a08584

SHA1
eca0ed0c84211978836a5105ac28adec44eb8a08

SHA256
4f8859961a7fccf601474e439dc82c0fdb8cae9b946dfac674af8ed4083fd253

SHA512
2295d94ce03cdb75b197a3af7dc14beac333e948e6a77c24f5b8be19241dd032635d3e34c2d060b4106ef78893321a516d743ffdb13f62e0c0f0dc6e3dc43088

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Icons\as.ico

Filesize
97KB

MD5
e40de79712f7c314f578bc87773c2c95

SHA1
5a42215e9fb51f248a3b7fbe100a1a632287e9e2

SHA256
79c8330722ff53323e8fc3996957288a58d4e821f0d3acfc88f8f4fe164cd30f

SHA512
efd8eb54222b078c2e294c0b49cbe068b2912f2dc92032269f716a63d1284ada1de2e9be75591535448d97e62f6b4d8ca9d7eaa20904eb978202293ca5ef5cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1310750598_icontexto-inside-blogger.png

Filesize
10KB

MD5
0b091580c86d3d5b2d5a90369f355bb5

SHA1
a8ffd7d6463060e96fb0f06e5a06d057a95acc0e

SHA256
a32278461c0d4f7f97c3cfc0260537fe68842006b3fe082b55211f2dce62edf1

SHA512
173b75986b1361b2c1ca536f28fa827cb938291907b9129901d96d49fc79f9746574d73d1b8ee06e73420ebd51081a8a2a8bd6656e11a8ec6fb3ef936a38c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1310750624_icontexto-inside-facebook.png

Filesize
11KB

MD5
398a409a3e847066006e99c2f0ab0dcf

SHA1
5cad39501e102a34439b454c546eb69697caee00

SHA256
0e06f55776d0cf134333044b8f0c432066da780970d338fa4dbda38a675c1dc8

SHA512
bb88130429267f83c9a37cd157eaa22686930aa2d4df7dd97e1ca52ecbcf764062ebfa94829cac83dc64d7fbce2b645f500f9e571ff7529690c3a2f6de3fff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1_1.png

Filesize
29KB

MD5
bd435cec198c6722d17fd1222f2d1e71

SHA1
c6bc46c3d5db3f00503c366efe28ea18480a0db4

SHA256
411d608d8ef27ab6314737b6a445f4e3f93e83523b4514362ba5e9391c6d1635

SHA512
72ccb436da061ecf88171b566c30938aca65d509b98f06b3b60d21b515f5b93dd42f95831c56fdd1a5abf09599037fb79f62098bbe9ba88172ae7c46523859ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1_3.png

Filesize
11KB

MD5
eb984435a1efe1c308601ce5b15caa33

SHA1
d37f1b3ffbe44ba0cf1171dae72712824ce0ea6e

SHA256
23db073544fcf1e017e76fadeb1475a772d7f5f991a9a324c928ce6dbf743db6

SHA512
376de11bb41dc9c62964741359d2e4ad62ead510aa1a758c0ee78a7bd10b636bdcc16e12685e96cfce2f6c421796c13efd6dfde533eaef1f8c840bb85cf7be79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\5_2.png

Filesize
129KB

MD5
da14b011a79950deea89d768f7d8497a

SHA1
ac3b6693b12ea63556e1ad991b775ee3c87d4d33

SHA256
be323ac2506b8f782a3bdbb560571ee786cce5e49a91157a90ff6b661f295ecb

SHA512
af3c1af0e9e79ae1e5f842033fcdcc00fae735655221977f3cb1300add4c5be91f113503be7d8e347116afb788400477fafd9454cf13ac819c34a3b47c568e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\5_4.png

Filesize
11KB

MD5
9fe9cfc673c2a8dd69f816e6bd687480

SHA1
2b0185295c0dc09838f25a253cc845eb5808eff9

SHA256
ffb009a74977d609b7da46379ce870eeda3a525fe13b080e4d25a0356add95ad

SHA512
cc3cffd19391c60e165a9849ef8fd1d2807b9daf54506bc72878f577be0d33f9cb0b8a9fe894ca9950d74e3d89ee2fbe0840a8fda6064a4c8e2991125da3fbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\bn_1.png

Filesize
7KB

MD5
9ea8db4c691b6f332084228cd239c8ba

SHA1
aa76ed6644e8736f7066bf882ff0f79c636b4219

SHA256
d56c933199c623a70f9649b9ad9b5b593558d6692e0e93a3d053615f144d3ee2

SHA512
879c4549567e0a6e5ef805f7cd833b2224f12a5d41ac1b6cfa5826ab1ed5ad1ac4f81fcb59a7a65cb9fe485658804573e595f3149f5d57b19f4cd3fd09d31b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\logo_1.png

Filesize
96KB

MD5
a892344b432ea652e4b6f7e97a4b543d

SHA1
6cc803a61908c2b4be4c50df67183fcd520fee68

SHA256
18993e43851fb0b0c310310a78db3660dd5b4daa57bf6493b185141c3fae3174

SHA512
b1c28dfd4faeba9f120b978dac3dd9211d21384ccfbbd6c3b15bb8cb3625134945b5f626514f13af4129ace1ff7eef2491dc736ff32c918dd14fe4c24cee42c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\logo_cityville.png

Filesize
24KB

MD5
205576471eab48a523418ad86ea80185

SHA1
9b77b288eea260d29f57f472d2ba5df26e58dfe7

SHA256
f1bcab739f5ffeb4c359914fa8414e74a2f93eb266748f9d841185cc5445c3d0

SHA512
5c42c59667c2fa2e369d8ec4a3831e1dc772e4e1c745f386562b83aaf79144365ced210d22923f21b5fd46e5f46174ddf83a1342ac96e181577629c7860aa5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\me-gusta-facebook.gif

Filesize
9KB

MD5
c2e72e015e1aea51f100cfb8a160f4c6

SHA1
42c3de8134ceb00443dcf38a9fd95c19a1441450

SHA256
6ac8ff9b30b381523912621290c6dc332aaf81f290827b397f639da13b5a31eb

SHA512
0b76d6e70277c12c3c369ed7371a936bbc26ab0424f6da46d70f19553b8406ae70d51ac616f8eeca557b2086ae3d72b680994fb1e99586a2b24b7a00499ebdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
502KB

MD5
2f19867f26f4e5a52b10e3cc5c899771

SHA1
9fe6e67edd9394a102ec7f1e8e4bc11b55e0ff66

SHA256
250d247c93c0fb3fad6de3f0a9bd3fada99211733c60c9f6be5b6dd1ca912eed

SHA512
66f7090ae209012f3a3361a4ad48268eaed1fe7063309e1f541daa961d4e6fb468c16ed468256f1c2f79b08b530469949a8c2d97f8436f77d4386e52a5031741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.1MB

MD5
5650554b08b6e7bc0fc40982fac71cb7

SHA1
2c07b71c1020bf021a3d4e18a1aa961f2841cbf4

SHA256
32e0409e5aadb2fb69803063fe369485b88332d2532d221ece899c16ad374f34

SHA512
69c32ac0facbda4745fa19af5c1de5b4bdfb77bc59acf45a1c543127c1f0c77febf187d29d15fbfe0f82125e08707b87979334221c76dd0140fd29ee8d7cd2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.0MB

MD5
24eae361179f011b5d5869be823c96d3

SHA1
e97c6120e2abab1c49252e94ef6282650f523ad1

SHA256
23dd84607999326d1de78c0344f49a8a13d359fcae0b0a3a388362857c93f808

SHA512
3b990f6710daf1e7c77875a0f856928d0285eed13950e4fbd25f0a988d0ceeab700eea8f1e3f8d702ebaf41eb0bfa50444f9d27b640c3d95ebfd22e228e8d3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
729KB

MD5
fe7e5dca085d881cb3296b99d6bf3638

SHA1
e322355d84c63347d63af10378a29f7d2472dc21

SHA256
732516d03ab1374f593d2c9732bd0aae4e3bf04c2c5e0a2c0cc1d610cbf7f45d

SHA512
7b66dcc56b67740f0e997d936d9b71da4b30bdcd53ffad0c3272060fc74513953725e3bd07693859b3ab4141910b721ebba822c2db65fd6a9835c2326ab36ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
833f004c5da3d31d078fae67323f90bf

SHA1
43c5b356084d30b2cd30c835939eea28e1018b2e

SHA256
1f7aae6b6fd013d1246dfa47168b24a78df3f98cda36f390e227abb5093ef30c

SHA512
f9cecdf175f275c6a2b43437b2327282cae225119eef9512ae633a4faf742c9901c6e319027bfed60c1e475e642ea8686410550ab81b355437ffa80aa684cec4

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.5MB

MD5
b32237f40c40e028ff061545732468df

SHA1
a30a6b509b0080935a12ee381f09cd65077fcbcd

SHA256
66da22f6c970fe59ebb712577ed5067b1e717ecf676fceceabecae7e2d05d746

SHA512
dd6ced575ff3956796c99e44e60f67442d04c6ba36f1766d136530c4fbf64e59e7a503141fa77e9917d77a319244019c76b431793bbec74591abad43bb5852a5

Download Submit