56d610a957297e3b100f558cc22d3aa250553d37a3c57a278245960181694347

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04f2ca4aef9e29c51e9388c71188d40.exe
Size

280KB
MD5

e04f2ca4aef9e29c51e9388c71188d40
SHA1

6f057a3027c20e23e8ac5e74d09685366572fddd
SHA256

56d610a957297e3b100f558cc22d3aa250553d37a3c57a278245960181694347
SHA512

89b3adf28529b78405ea5a68df1cde0e3cc683343cef3bb8d142cefa86feda1a38f04a064a3dc2ffb28c7d1aa9d1b4cefcc5811e4a6d621aca2a072acac7e684
SSDEEP

3072:CO+fEMt+5oqmcrQ3XMzkJJXIiMjJJeHGqONtjlTsuZfE:CO+fEO6mxd7yyHGJZwuZM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	blgiqx.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2576	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2944	2428	e04f2ca4aef9e29c51e9388c71188d40.exe	28
PID 2428 wrote to memory of 2944	2428	e04f2ca4aef9e29c51e9388c71188d40.exe	28
PID 2428 wrote to memory of 2944	2428	e04f2ca4aef9e29c51e9388c71188d40.exe	28
PID 2428 wrote to memory of 2944	2428	e04f2ca4aef9e29c51e9388c71188d40.exe	28
PID 2944 wrote to memory of 2540	2944	cmd.exe	30
PID 2944 wrote to memory of 2540	2944	cmd.exe	30
PID 2944 wrote to memory of 2540	2944	cmd.exe	30
PID 2944 wrote to memory of 2540	2944	cmd.exe	30
PID 2944 wrote to memory of 2576	2944	cmd.exe	31
PID 2944 wrote to memory of 2576	2944	cmd.exe	31
PID 2944 wrote to memory of 2576	2944	cmd.exe	31
PID 2944 wrote to memory of 2576	2944	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\e04f2ca4aef9e29c51e9388c71188d40.exe
"C:\Users\Admin\AppData\Local\Temp\e04f2ca4aef9e29c51e9388c71188d40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\mspqbdl.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\blgiqx.exe
    "C:\Users\Admin\AppData\Local\Temp\blgiqx.exe"
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blgiqx.exe

Filesize
180KB

MD5
0807cd0859fcde088d22e4c830833d37

SHA1
fbef25c3001792d6632cb64368441767c39ac45c

SHA256
13c65e9d47c16b959067b352598b0a164122c48e459102c98dfc67ead96f2623

SHA512
adf0149634bdc5533901187b444aa02ff08dcc030ad86849aa2237295e6091c28d87aee1e18054616bd78c3bdae63d8aca77414c2a3da5587c087daec40fb420

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspqbdl.bat

Filesize
124B

MD5
50e21b142d9cb5832851720ccbaa96c9

SHA1
b109c67058fe93834a03fa74e2ea09f5136fbc4c

SHA256
4e97ffc422617a4b0bf64b54a8d10bb912bd000c0f1f4b5ee9f58885346faa6f

SHA512
1ba88568861bb4da76eb5efd24960f8c26b5a747499b4b773f95f6eb814f4c455630a993131dadaf1d357e128cd0d9b2cdd330fc6982cff0cf89b982f7aafb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbuksn.bat

Filesize
156B

MD5
2b16ac14bc2c95a7f632f83ec0d4e2b7

SHA1
3f64962b9e0fec767643c427e634fc9342f39d0a

SHA256
ccbb9f70f93416c0ce45fe68028aefc58595d28c610ccdc2200a34779cff6d00

SHA512
9ecd11d0a827a4f9803101fbc0e163e35915b7ac3e4ce7ec0ead69f74d7f1a875cfdb53ccb04533f72fd64622242f563a923b101d0b64a695612fc95dce988b8

Download Submit