13275c057816e8a845780f7efc56f71d9eb0d82872fe4f2999a875eed4a24dc1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2009007981Ayon397.4lbs.exe
Size

571KB
MD5

ba26fb77b6835108c50a7679a8d700cb
SHA1

f7e765dfe86361f13b0bce8497a6ca313e51c96b
SHA256

1475fc004e86e28f28d91df9cc206c0da886bc085da17f853adba49990d8ca41
SHA512

c6befb6fa1359411eb02cf2b3087def66c05590f4bec180d9a832926925deface5d454e81f6d88f1e34283a876853e1cf97070577f7651dd4fcbb273ddc3cf93
SSDEEP

12288:9ufIQziUgIg4oCHT5B7PotSOx164gNIHNbZs8Lp97rWsVFqG5aDIBIDh:uGUdg4bHVBbotSOjaIHhZJLp97rWsV1k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	EXEE1F6.tmp

Loads dropped DLL 2 IoCs

pid	Process
2308	2009007981Ayon397.4lbs.exe
2308	2009007981Ayon397.4lbs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2352	EXEE1F6.tmp
2352	EXEE1F6.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2352	2308	2009007981Ayon397.4lbs.exe	31
PID 2308 wrote to memory of 2352	2308	2009007981Ayon397.4lbs.exe	31
PID 2308 wrote to memory of 2352	2308	2009007981Ayon397.4lbs.exe	31
PID 2308 wrote to memory of 2352	2308	2009007981Ayon397.4lbs.exe	31
PID 2352 wrote to memory of 1772	2352	EXEE1F6.tmp	32
PID 2352 wrote to memory of 1772	2352	EXEE1F6.tmp	32
PID 2352 wrote to memory of 1772	2352	EXEE1F6.tmp	32
PID 2352 wrote to memory of 1772	2352	EXEE1F6.tmp	32

C:\Users\Admin\AppData\Local\Temp\2009007981Ayon397.4lbs.exe
"C:\Users\Admin\AppData\Local\Temp\2009007981Ayon397.4lbs.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\EXEE1F6.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXEE1F6.tmp" "C:\Users\Admin\AppData\Local\Temp\OFME1F7.tmp" "C:\Users\Admin\AppData\Local\Temp\2009007981Ayon397.4lbs.exe" http://www.eomniform.com/OF5/nsplugins/OFMailX.cab http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFME1F7.tmp

Filesize
80KB

MD5
1825b1b2272f944b3414743b2884798d

SHA1
89656df8c0e69bb008dd8c4c0ed19e6c278bc67d

SHA256
328f6ec3d8deebb38e4a6fa776c14514120875cc64e12acc3531daff9afe9b34

SHA512
ffb81cdb26201e16660e36682d8ed75e92b9cb0344e408202f94b285929b998ff83de5942590a37f9b8a78e7e48384e1126cdb30b35d095bc93334b9b362489c

Download Submit
\Users\Admin\AppData\Local\Temp\EXEE1F6.tmp

Filesize
1.1MB

MD5
2d2fd71efa30293b805806d7e8999f8f

SHA1
3ca3d43dbb456a33874c6f7707b6d55e32c2d911

SHA256
edc16a9ae5e1fe484d301ed4680eefb85677e85712793fd69338c35f15febb99

SHA512
639e50317f4da0f793d9f7d4bff3ee1afb8e9f929727ad47816a104b052a81047253631b078b85f0b6e056bdd37e4b67e2e468a760ab05b9b1eb4bf1efa31a01

Download Submit