ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c

Analysis

max time kernel
14s
max time network
136s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
Size

1.1MB
MD5

ad42d7bc215d988b8bf99ef77bd45b32
SHA1

0e8f5841044f9d80b4a821dbfbea46597a560982
SHA256

ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c
SHA512

8e800d46f7557032c287b291f925d8f7e719ec8727ad79eb01a2d4310264b3e40f888fae3898bbcd17bdd82cf7686c390342a1ad71a32fe4691cf788f12b1c71
SSDEEP

24576:MJr8tE+GZeFW4zyw0CxHqiGOw0CN4zpaVXcpd6CBiC:MJ4UA3LPes

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2664	wscriptandroid.exe
2500	rundll32android.exe
2584	rundll32android.exe
2564	rundll32android.exe

Loads dropped DLL 18 IoCs

pid	Process
3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
2664	wscriptandroid.exe
2664	wscriptandroid.exe
2500	rundll32android.exe
2500	rundll32android.exe
2664	wscriptandroid.exe
2664	wscriptandroid.exe
2584	rundll32android.exe
2584	rundll32android.exe
2664	wscriptandroid.exe
2664	wscriptandroid.exe
2564	rundll32android.exe
2564	rundll32android.exe
2664	wscriptandroid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2664	3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	28
PID 3020 wrote to memory of 2664	3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	28
PID 3020 wrote to memory of 2664	3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	28
PID 3020 wrote to memory of 2664	3020	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	28
PID 2664 wrote to memory of 2500	2664	wscriptandroid.exe	29
PID 2664 wrote to memory of 2500	2664	wscriptandroid.exe	29
PID 2664 wrote to memory of 2500	2664	wscriptandroid.exe	29
PID 2664 wrote to memory of 2500	2664	wscriptandroid.exe	29
PID 2664 wrote to memory of 2584	2664	wscriptandroid.exe	30
PID 2664 wrote to memory of 2584	2664	wscriptandroid.exe	30
PID 2664 wrote to memory of 2584	2664	wscriptandroid.exe	30
PID 2664 wrote to memory of 2584	2664	wscriptandroid.exe	30
PID 2664 wrote to memory of 2564	2664	wscriptandroid.exe	31
PID 2664 wrote to memory of 2564	2664	wscriptandroid.exe	31
PID 2664 wrote to memory of 2564	2664	wscriptandroid.exe	31
PID 2664 wrote to memory of 2564	2664	wscriptandroid.exe	31

C:\Users\Admin\AppData\Local\Temp\ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
"C:\Users\Admin\AppData\Local\Temp\ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe
  "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe" 3.vbs
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadSound1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadColor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadCopyCur
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadDrawError
    3⤵
    PID:592
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadEllipse
    3⤵
    PID:548
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadGray
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadMoveDesk
    3⤵
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadSquare
    3⤵
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadStretch
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadTriangle
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadTunnel
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadWave
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\chxt.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\chxt.exe"
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\dlsy.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\dlsy.exe"
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 8
      4⤵
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\jyss.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\jyss.exe"
    3⤵
    PID:2336
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\ltss.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\ltss.exe"
    3⤵
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmmsk.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmmsk.exe"
    3⤵
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmpy.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmpy.exe"
    3⤵
    PID:1824
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmrh.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmrh.exe"
    3⤵
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\3.vbs

Filesize
5KB

MD5
7b5fe664d51a76e79fecb7d211fc8904

SHA1
78c2255d7fff268ebe11740b9568499186acb32b

SHA256
1d294d2d2cf0c4ee8c844d548b1eae098b140fd6628b322662d15738d1cc59ad

SHA512
f526835803c2ee354817ef540137feb3f7a31ab938c6594b4b2b031af24b3229b9253f3c9389932686eccf75b0f9fe1a3d6c4710d91f373fbe700a6fadece5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\lframe32.dll

Filesize
104KB

MD5
cea881999b654dd37b181c96b471986c

SHA1
329eda71abd3981a54fdf1c6b090f35de3f050aa

SHA256
ee60b78b92c179038c72c8b2c7c38a52e2cab8c3c1e7d96d49b62dffdf96ab7a

SHA512
c9d35a802d5be5ef3005eb5a75f5cba06b3b5ee8524a80f070c4b56f729008a43e6a7a76460dacf5a461fbab0e74eb33157b60bef2e8b1afc7a981bc9f839b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe

Filesize
43KB

MD5
ff7cadf8d0db2d507a599f2d76e0e859

SHA1
00eeacc602e413f937a0ec675fb6244f2a866215

SHA256
9929b8e2242232dea1a251d7c4cc3a233f6a82f0a03bcd75f1a42a3a76260ec0

SHA512
1864984fb2f1501584a1dfc2574493d6fa72495f592765906ea3389a12abe3fa4e91106c05ac7032777488da8e06735596f218673330420c1f19971ce6f78d0a

Download Submit
\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe

Filesize
132KB

MD5
3d27d125a2d16510665a69522fe3143c

SHA1
e7907467144b2655062093be7c2bee8ce419eb7c

SHA256
6454da055ac4123540e89e7b5d650e388951a43ccda30b91e1985425ceeae113

SHA512
01bfd59602e3cbd6a7f5d3a3f97d782740164be494ff8c213bd696d28845409fcb3b9527389b7191b8ea7f02dfdff9e029a7fd96afa78bd4bcc7bbbefd690704

Download Submit