Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 12:11
Behavioral task
behavioral1
Sample
13e5872e9b7c47090e035dc228c5589f.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
13e5872e9b7c47090e035dc228c5589f.exe
Resource
win10v2004-20240508-en
General
-
Target
13e5872e9b7c47090e035dc228c5589f.exe
-
Size
424KB
-
MD5
13e5872e9b7c47090e035dc228c5589f
-
SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760
-
SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
-
SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
SSDEEP
6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Malware Config
Extracted
amadey
4.30
b90491
http://o7labs.top
-
install_dir
5641a448ac
-
install_file
Hkbsse.exe
-
strings_key
6ca55fed034d4e76c257fcff1c461762
-
url_paths
/visual/skins/index.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hkbsse.exepid process 3000 Hkbsse.exe -
Loads dropped DLL 1 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exepid process 1916 13e5872e9b7c47090e035dc228c5589f.exe -
Drops file in Windows directory 1 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job 13e5872e9b7c47090e035dc228c5589f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exepid process 1916 13e5872e9b7c47090e035dc228c5589f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exedescription pid process target process PID 1916 wrote to memory of 3000 1916 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe PID 1916 wrote to memory of 3000 1916 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe PID 1916 wrote to memory of 3000 1916 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe PID 1916 wrote to memory of 3000 1916 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e5872e9b7c47090e035dc228c5589f.exe"C:\Users\Admin\AppData\Local\Temp\13e5872e9b7c47090e035dc228c5589f.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"2⤵
- Executes dropped EXE
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD50426fd386675acf49ff994487ed0fa1c
SHA1e98e8037434bf77e1ab9fe4c8fa0a57bc5c79f83
SHA256d4b87bd066fb1f8494f68077801691e4d0c3ddfc9c88ac4a3f434e1fd8c2d16b
SHA512162bb10b91239f3fec94aa8de14c9398c361356cf4969a99e0ed952d01b7c7578771828c690a0b42fa08c9f12bae15d57330926f5eb388f2ff2063818edb0710
-
Filesize
424KB
MD513e5872e9b7c47090e035dc228c5589f
SHA1c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e