eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe
Size

662KB
MD5

38352e0d20637fe078598221810e87a5
SHA1

1095aa8c60cd784ba2f4b7cda6e1f9044a464393
SHA256

eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd
SHA512

ba22415551fa0434e31c25b0c0ba2bd8bb7c125de4e8d0da588999c457f5101736e38d9edd0992009d9f25d3ed3383b68878fdb3ad57744a1ed8026ff9f2a232
SSDEEP

12288:8X/6dDqPkhJhW4KlYdMTUA8j0q7g2iZ1gwrRSUgxpcpLHP9XM45XJ:+6dDqPk/QYdMTP2bwrwUSSDVcgXJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3016	EXE7B38.tmp

Loads dropped DLL 2 IoCs

pid	Process
1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe
1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3016	EXE7B38.tmp
3016	EXE7B38.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3016	1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe	28
PID 1760 wrote to memory of 3016	1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe	28
PID 1760 wrote to memory of 3016	1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe	28
PID 1760 wrote to memory of 3016	1760	eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe	28
PID 3016 wrote to memory of 2564	3016	EXE7B38.tmp	29
PID 3016 wrote to memory of 2564	3016	EXE7B38.tmp	29
PID 3016 wrote to memory of 2564	3016	EXE7B38.tmp	29
PID 3016 wrote to memory of 2564	3016	EXE7B38.tmp	29

C:\Users\Admin\AppData\Local\Temp\eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe
"C:\Users\Admin\AppData\Local\Temp\eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\EXE7B38.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE7B38.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM7B39.tmp" "C:\Users\Admin\AppData\Local\Temp\eebcbfa696c9f21dfac0985ff01717da284421a681301e45105224e4676479cd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFM7B39.tmp

Filesize
192KB

MD5
a8495549e3bf73da858a036ed8d232bd

SHA1
700f77e52984e3f9f5e411e03be2740a1e5c1f00

SHA256
8fa0bd2f6b2aafb63966ee3afc43dd4abd6bd81b32667509351fa41a3d84431f

SHA512
ebfd2d47ade2627047fdf37c8c1edbde2ec06358f26503c36fce44020f48e3526d3460343f145aaf4b4d755fe3a1313b61c5b3762d38c1cdaa713e4cb6ef1432

Download Submit
\Users\Admin\AppData\Local\Temp\EXE7B38.tmp

Filesize
980KB

MD5
34cabedafaf5ce498d245242ac48670e

SHA1
7a78f2a64618448f8118203f3c7225f6f84622d0

SHA256
6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39

SHA512
6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

Download Submit