176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe
Size

2.8MB
MD5

50bf71ce7279b0449553b4be536822c3
SHA1

ba427c9cac10521248b6265bf2cacb997a8f80b5
SHA256

176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba
SHA512

15b60c5f04af2ae0a99ab13b98b3dbea92a6c7e1f35bc2010f97736e1226811cf4b74b19ab4055e61051ddbe3dda7a3f97019d6b062201145d02433b27645bbb
SSDEEP

49152:tMDRZ9IBVL+s0ezJGd80SHMsThF35Hj1Bzuzm4:tMDtIXLr06AdfEThF35PzuH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2736	timeout.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2452	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2796	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	28
PID 2864 wrote to memory of 2796	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	28
PID 2864 wrote to memory of 2796	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	28
PID 2864 wrote to memory of 2796	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	28
PID 2796 wrote to memory of 2588	2796	cmd.exe	30
PID 2796 wrote to memory of 2588	2796	cmd.exe	30
PID 2796 wrote to memory of 2588	2796	cmd.exe	30
PID 2796 wrote to memory of 2588	2796	cmd.exe	30
PID 2864 wrote to memory of 2656	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	31
PID 2864 wrote to memory of 2656	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	31
PID 2864 wrote to memory of 2656	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	31
PID 2864 wrote to memory of 2656	2864	176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe	31
PID 2796 wrote to memory of 2812	2796	cmd.exe	34
PID 2796 wrote to memory of 2812	2796	cmd.exe	34
PID 2796 wrote to memory of 2812	2796	cmd.exe	34
PID 2796 wrote to memory of 2812	2796	cmd.exe	34
PID 2656 wrote to memory of 2604	2656	cmd.exe	33
PID 2656 wrote to memory of 2604	2656	cmd.exe	33
PID 2656 wrote to memory of 2604	2656	cmd.exe	33
PID 2656 wrote to memory of 2604	2656	cmd.exe	33
PID 2656 wrote to memory of 2452	2656	cmd.exe	35
PID 2656 wrote to memory of 2452	2656	cmd.exe	35
PID 2656 wrote to memory of 2452	2656	cmd.exe	35
PID 2656 wrote to memory of 2452	2656	cmd.exe	35
PID 2656 wrote to memory of 2736	2656	cmd.exe	36
PID 2656 wrote to memory of 2736	2656	cmd.exe	36
PID 2656 wrote to memory of 2736	2656	cmd.exe	36
PID 2656 wrote to memory of 2736	2656	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe
"C:\Users\Admin\AppData\Local\Temp\176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe2024328181137289.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx2024328181137289.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb2024328181137289.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe
    "C:\Users\Admin\AppData\Local\Temp\176c01eadc93bcdd44484eed12be81470a5d6843e1316f9b9ad23ded0da544ba.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2452
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zb2024328181137289.bat

Filesize
760B

MD5
9dea14d29205457346752d3d9afba166

SHA1
dd3948bbbbfbe1bd41cde5ef5fc5e425144d731f

SHA256
e45f79190dfd61d0d7741911d697ddbbcafe9870cfa333e485afe3b8a1ed146c

SHA512
29717729ae54cd8cfd5a630b691e9c3b5a92aea34707d3cc48a177cea254b1821d2c2a87ff4458a66461e1962646262a705825aea1df1686e3a8f12de4b56c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe2024328181137289.bat

Filesize
312B

MD5
2c4e7b2988661d8cf56c1eda228fd35c

SHA1
19760fff9606b649a5248f072a90bee168780ad6

SHA256
52430ddc94a261a3c4a09624ca103d8c433d15635b4168a3383277708e353fcc

SHA512
00e2fe514f1a36e8cb6ec5428e0b6ccfa0b4100afcfcdc27cedc8cf0bd2e442b3832bbd220c147342030f7eaf987336d5f0f7904c86dde577b5ddf4fcd462407

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2024328181137289.tmp

Filesize
2.8MB

MD5
de10876f03a63a1713e69a1a85f2ee04

SHA1
6c033dc5471cf18e6f419e575fa947090f2779b0

SHA256
554d5253cc62872729f6b6f6e3647f2eb7cf0dd9db8f23586732d9342ffefed1

SHA512
388048307a17bc28a29b428894f28315a570e9dc7027a0d73a151a6a44d775be808271587d33a5be666c6b8a62d1d56dd0617cf5183c6d71c460e5d9a9b29628

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx2024328181137289.xml

Filesize
1KB

MD5
9f9b3932bf6f25db20b9f5144c22c1a8

SHA1
fc0c9956b4effa3d0374493558144ca583e67651

SHA256
c8e9414cc95d2420c797059a1ec9761e596cda0a8b1924fefa2a758e2940386e

SHA512
ac3d3f5e00ed13c668f2c82210ec3585fcc1f4223be6e6ad4d5d1c9a56e1c3e4205601f57cd5dcf9812a238e214d7e9f55be6ac112b41153a71295b5985bcf1a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads