26430f93015e2d36c0500cee32dcfde4fe2d7c0f33fc9110f7c7fd48c6849220

Analysis

max time kernel
120s
max time network
106s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67171941bf537ca68cbd543f25a9f310N.exe
Size

496KB
MD5

67171941bf537ca68cbd543f25a9f310
SHA1

2bb586b5b12168562263df70391f05cff6b50e0c
SHA256

26430f93015e2d36c0500cee32dcfde4fe2d7c0f33fc9110f7c7fd48c6849220
SHA512

209caeb9c1f1f7a0c23c361edee0642f04ca9166cd49745b6930449785c9ad165e3b5b685525a5455148a8e8fc76284d509db3ea01338235ab6b76f582e4374b
SSDEEP

3072:c4o3aDlGxCLYdvX7oCv4INsTjkdV7UDSxJm2ti4Ms1lzz/:rDDExjFoCQTjkd6GJhi4MsLH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
996	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	67171941bf537ca68cbd543f25a9f310N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\oRyqmC.dll	67171941bf537ca68cbd543f25a9f310N.exe
File created	C:\Windows\CLOG.txt	67171941bf537ca68cbd543f25a9f310N.exe
File created	C:\Windows\xUXoiUJ.dll	svchost.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\NhWCBJN\FMDypBH.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
996	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 996	1048	67171941bf537ca68cbd543f25a9f310N.exe	29
PID 1048 wrote to memory of 996	1048	67171941bf537ca68cbd543f25a9f310N.exe	29
PID 1048 wrote to memory of 996	1048	67171941bf537ca68cbd543f25a9f310N.exe	29
PID 1048 wrote to memory of 996	1048	67171941bf537ca68cbd543f25a9f310N.exe	29

C:\Users\Admin\AppData\Local\Temp\67171941bf537ca68cbd543f25a9f310N.exe
"C:\Users\Admin\AppData\Local\Temp\67171941bf537ca68cbd543f25a9f310N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\ProgramData\Ceycjp\svchost.exe
  "C:\ProgramData\Ceycjp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CLOG.txt

Filesize
165B

MD5
077250c4f61de2669b4666f24ec172df

SHA1
929ff414a83159b8862f9445c3eb3321f247af55

SHA256
6e01eade6ca1b0835b090bf6e7a1770a32e253ba0cb26423b9d114772d5feaf6

SHA512
138e56c60b887a9b9c9175511ddb8ebbcb592f1cb3eedf7a4fca17c39c6712c61b128d640ba3bbe649c3baebce887632ea5ff4b4bae15c2311923736cd9169a6

Download Submit
\ProgramData\Ceycjp\svchost.exe

Filesize
500KB

MD5
17ad2fd7cfe7426f5c8274a0f7f60322

SHA1
1199c01c84a2a5e41ef261dcb367afc9f79f31c9

SHA256
c7c8c01aaa0dc8fa81038116cfa02f40a32bfee47a7b616f508067bfdd453381

SHA512
20c787835902f9948c78319dd4cbec14cef75d2ef2400d31f6a5689d01d526fc1b11aacd1eca26e0383b46904c5c1b9f5798dfcf9b08f73915c901b6962fc947

Download Submit
memory/996-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/996-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/996-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/996-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/996-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/996-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1048-8-0x0000000001DF0000-0x0000000001E4C000-memory.dmp

Filesize
368KB

Download
memory/1048-13-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1048-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1048-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1048-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download