bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
Size

95KB
MD5

27fbd97392b14b3d4cf565d2a56d412e
SHA1

ae3c4080559cb2201df7c3eddc9a0d559183d6a2
SHA256

bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10
SHA512

602fb7876486b0c1d78776a6870d3a5f1c0c27347266968d098de8a3ae3ace7da17ffb1d518a759a20442512f78f365bf0a4b55dbb291c402a6ca9f4896eda57
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU62:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/At

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	rMX.exe
2828	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
1004	cmd.exe
1004	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\VWFLH\rMX.exe	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2276	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	30
PID 1672 wrote to memory of 2276	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	30
PID 1672 wrote to memory of 2276	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	30
PID 1672 wrote to memory of 2276	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	30
PID 2276 wrote to memory of 2300	2276	rMX.exe	31
PID 2276 wrote to memory of 2300	2276	rMX.exe	31
PID 2276 wrote to memory of 2300	2276	rMX.exe	31
PID 2276 wrote to memory of 2300	2276	rMX.exe	31
PID 2276 wrote to memory of 1004	2276	rMX.exe	32
PID 2276 wrote to memory of 1004	2276	rMX.exe	32
PID 2276 wrote to memory of 1004	2276	rMX.exe	32
PID 2276 wrote to memory of 1004	2276	rMX.exe	32
PID 1672 wrote to memory of 576	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	33
PID 1672 wrote to memory of 576	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	33
PID 1672 wrote to memory of 576	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	33
PID 1672 wrote to memory of 576	1672	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	33
PID 1004 wrote to memory of 2828	1004	cmd.exe	37
PID 1004 wrote to memory of 2828	1004	cmd.exe	37
PID 1004 wrote to memory of 2828	1004	cmd.exe	37
PID 1004 wrote to memory of 2828	1004	cmd.exe	37
PID 2828 wrote to memory of 2932	2828	rMX.exe.exe	38
PID 2828 wrote to memory of 2932	2828	rMX.exe.exe	38
PID 2828 wrote to memory of 2932	2828	rMX.exe.exe	38
PID 2828 wrote to memory of 2932	2828	rMX.exe.exe	38
PID 576 wrote to memory of 2960	576	cmd.exe	39
PID 576 wrote to memory of 2960	576	cmd.exe	39
PID 576 wrote to memory of 2960	576	cmd.exe	39
PID 576 wrote to memory of 2960	576	cmd.exe	39
PID 2932 wrote to memory of 2672	2932	cmd.exe	41
PID 2932 wrote to memory of 2672	2932	cmd.exe	41
PID 2932 wrote to memory of 2672	2932	cmd.exe	41
PID 2932 wrote to memory of 2672	2932	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
"C:\Users\Admin\AppData\Local\Temp\bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\45.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\45.vbs"
        6⤵
        
        PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\56.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\56.vbs"
    3⤵
    - Deletes itself
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\45.vbs

Filesize
162B

MD5
23e8913b6b9d8ff32103b5bf8ec73432

SHA1
043363988b938324217cc7cabcd52df84c116266

SHA256
af6de3ff0ff1ab3e92da7879577a544e59bd8643a6abee2ce40e0f6f90cbba4b

SHA512
beddb36739fc28d2e2b69c497a6fc28ebfde6d6de7adc8a58eefc19adbbccb9a4561c62f7deab81cbf6df5a4ffd88c586b8b31a639d6508e208f31ddb35b5d18

Download Submit
C:\56.vbs

Filesize
236B

MD5
597c14e72b72249ef3522f09b9878b9d

SHA1
513bff0208b5c91d44fce801d3a74fb046b2ea2f

SHA256
9a29e755e9775db75161ed10e6ea602ce79dd07c1b32a61748819573880698c1

SHA512
e8838a16c31e410faba8e645f74e19f3c21b7e11c3bc4b57e07dc6b7ef706d24147c82a9679479db9ef202543501b53b416be5045c43b9d53c1b75ed77bb6b18

Download Submit
\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
27fbd97392b14b3d4cf565d2a56d412e

SHA1
ae3c4080559cb2201df7c3eddc9a0d559183d6a2

SHA256
bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10

SHA512
602fb7876486b0c1d78776a6870d3a5f1c0c27347266968d098de8a3ae3ace7da17ffb1d518a759a20442512f78f365bf0a4b55dbb291c402a6ca9f4896eda57

Download Submit
\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
82f19dd9839df6f353147e7fe210c687

SHA1
c4fb2b00d672a0504a6daa9278bfc95dfc9243f6

SHA256
d472c14055d78c5e6445350db379b66b6ba88b3a7a19a1bcb56890bd33a0265d

SHA512
f94ccac6bb84cb504b655b1207ae04ca91bee433fe16e4b8b0df2f957fbc10d4e61b028682650c32161cc95b8cf4ce067cf03ceb338e610b47f0bf40f62e9ffd

Download Submit
memory/1672-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2276-14-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2828-34-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download