0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
Size

85KB
MD5

12f3016d3e7a0fcc13e97a3521a0f8f0
SHA1

15e59e2a5c7c1dc53a516c2445866e6e3180b58c
SHA256

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218
SHA512

69f31f8b057c4774e85b786338e6ac5920225a78b00bf425459671025a3f2bbc069ee45be79bf9e41b00378c6b5bf27ddff96817bb93d197d7693a22bbaad8bc
SSDEEP

1536:D00URPnKfZrT2DawRR8JfP3JZB355B/CYTjipvF2a:D00URSfsGyREZB355BqYvQd2a

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

odbc32.exe

pid process

1548 odbc32.exe
Loads dropped DLL 1 IoCs

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

pid process

2924 0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

pid	process
1548	odbc32.exe

pid	process
2924	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

odbc32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Network Services = "\"C:\\Windows\\SysWOW64\\odbc32.exe\" /O0"	odbc32.exe

Drops file in System32 directory 1 IoCs

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

description ioc process

File created C:\Windows\SysWOW64\odbc32.exe 0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\odbc32.exe	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

description	pid	process	target process
PID 2924 wrote to memory of 1548	2924	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe
PID 2924 wrote to memory of 1548	2924	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe
PID 2924 wrote to memory of 1548	2924	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe
PID 2924 wrote to memory of 1548	2924	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe

C:\Users\Admin\AppData\Local\Temp\0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
"C:\Users\Admin\AppData\Local\Temp\0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\odbc32.exe
"C:\Windows\system32\odbc32.exe" /O0
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\odbc32.exe

Filesize
85KB

MD5
0fab6f06eecbcb42c4c6f8be63e0dc62

SHA1
e10d381330e2cbf7010603e154ab07ba95c977b2

SHA256
61bee08b6da6b2a567b67b8782da8ab3d7325b6a8792e973babe0170b6646863

SHA512
f5cbc52ea5db2b9584e05cc2b2390987a771dca5f3358a622fa555ac10cb8b5478c881e4371c66ad19288136f3f8591b31adcea2adf7abcf1156da1fe64f29cf

Download Submit