Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:34

General

  • Target

    b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe

  • Size

    95KB

  • MD5

    dae39904d892c7cfaaa95bfa50a7b976

  • SHA1

    296d813c666e50c1816b7a77546a6ac93b826ceb

  • SHA256

    b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b

  • SHA512

    83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

  • SSDEEP

    1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU6m:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/Ah

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe
    "C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\WINDOWS\VWFLH\rMX.exe
      C:\WINDOWS\VWFLH\rMX.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo 0>>c:\windows\nk.txt
        3⤵
        • Drops file in Windows directory
        PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\WINDOWS\VWFLH\rMX.exe.exe
          C:\WINDOWS\VWFLH\rMX.exe.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\88.vbs
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\88.vbs"
              6⤵
                PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\85.vbs
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\85.vbs"
          3⤵
          • Deletes itself
          PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\85.vbs

      Filesize

      236B

      MD5

      be4bec113d3e78f731a2574ff4bf9f4a

      SHA1

      2711436d2a607701fc09f12ec43ec845719e94b5

      SHA256

      f0cea06bd67c122a7b5a3ef431f6e719998b0437a96831a165001c0560a3c00a

      SHA512

      10948a4d356f59395b4aac5e4f6ce8b5cb5dbd1bf4ea0e4a302628ab0151ab36346ac2c53e80cc1c716f420b8ac93950ae0811f979b6f551c512803c36a183d9

    • C:\88.vbs

      Filesize

      162B

      MD5

      f9a1a5c1ab7d3d6d6a21d84d9f7733c0

      SHA1

      05a29559857825c82c9652b31b94b3cfb458c070

      SHA256

      a1321e66807fd956e9b9e0ed938a1393f676df717ffbfd74a08d3c632ef1a711

      SHA512

      5eea6e6ceac56c4b2ac01347b86f41785be0adcc76e4f5d64af5e98133c95c572a7b0a6ed16bf475d54079d6a31f801bd8220cd783dec20cbe0986fb25d685ed

    • C:\Windows\VWFLH\rMX.exe

      Filesize

      95KB

      MD5

      dae39904d892c7cfaaa95bfa50a7b976

      SHA1

      296d813c666e50c1816b7a77546a6ac93b826ceb

      SHA256

      b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b

      SHA512

      83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

    • \Windows\VWFLH\rMX.exe.exe

      Filesize

      95KB

      MD5

      11e1d8159af3475e3b897e0f8f879940

      SHA1

      6dbf00b501fbd420d8219957c955ecac8af56dcb

      SHA256

      b0439edfece7ce3be6275b33f3818d9b0e34bed5f078e3dca6fe1825ba683679

      SHA512

      159d3271bdb8c6e8aa19605ee916431a6af4ec2b0b9ac10b867cb7f3c648923107511775bc5c4208a9709d349c931338cc5dec18f2e829e79a73c7b9dca5d143

    • memory/2508-28-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

      Filesize

      124KB

    • memory/2740-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

      Filesize

      124KB

    • memory/2988-13-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

      Filesize

      124KB