5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
120s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
Size

288KB
MD5

040b6bc9b0e6555c619b0b6ac5c100c6
SHA1

29658672a828a82cfb57f13332799e5c14af8ae4
SHA256

e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4
SHA512

e0dcee7db91991c26e9c0405435d59da2980b883a36ed4c6a38792f6af7d156979368e0a9be9ada036f8f3f537cc770b5174e27b361ea1839877f908f806b5b0
SSDEEP

6144:KCqhNgYNRrD/tlWnuxWxVODw2v4ryAADzcL51rhAHA:KNhNgarD/tlWniqONx/6foA

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2500	WScript.exe
5	2500	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pre-Setting 364KovMp.lnk	dwn_xb.exe

Executes dropped EXE 2 IoCs

pid	Process
2016	dwn_Ius.exe
2784	dwn_xb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
3	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1828	PING.EXE
2504	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1828	PING.EXE
2504	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1228	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
2016	dwn_Ius.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe
2784	dwn_xb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
Token: SeDebugPrivilege	2016	dwn_Ius.exe
Token: SeDebugPrivilege	2784	dwn_xb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2016	1228	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe	30
PID 1228 wrote to memory of 2016	1228	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe	30
PID 1228 wrote to memory of 2016	1228	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe	30
PID 2016 wrote to memory of 2784	2016	dwn_Ius.exe	31
PID 2016 wrote to memory of 2784	2016	dwn_Ius.exe	31
PID 2016 wrote to memory of 2784	2016	dwn_Ius.exe	31
PID 2784 wrote to memory of 2748	2784	dwn_xb.exe	32
PID 2784 wrote to memory of 2748	2784	dwn_xb.exe	32
PID 2784 wrote to memory of 2748	2784	dwn_xb.exe	32
PID 2748 wrote to memory of 1828	2748	WScript.exe	33
PID 2748 wrote to memory of 1828	2748	WScript.exe	33
PID 2748 wrote to memory of 1828	2748	WScript.exe	33
PID 2784 wrote to memory of 2500	2784	dwn_xb.exe	35
PID 2784 wrote to memory of 2500	2784	dwn_xb.exe	35
PID 2784 wrote to memory of 2500	2784	dwn_xb.exe	35
PID 2500 wrote to memory of 2504	2500	WScript.exe	36
PID 2500 wrote to memory of 2504	2500	WScript.exe	36
PID 2500 wrote to memory of 2504	2500	WScript.exe	36

C:\Users\Admin\AppData\Local\Temp\e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
"C:\Users\Admin\AppData\Local\Temp\e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows Update\xZiOpxV\dwn_Ius.exe
  "C:\Windows Update\xZiOpxV\dwn_Ius.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows Update\xZiOpxV\dwn_xb.exe
    "C:\Windows Update\xZiOpxV\dwn_xb.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_вHخ.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_KCrхrش.vbs"
      4⤵
      Blocklisted process makes network request
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\order_KCrхrش.vbs

Filesize
1KB

MD5
b84ff48597d45c08d420b61915f027f9

SHA1
62ab29a2ce3ee19ce02b4947a86ec02a2ced7c24

SHA256
dbaea4db7aaa10b4ee206217ab30da449f82361c573845c2fb642167e44ebcdc

SHA512
13c92c4f1224f7cf3fc80fa06bcb5a192a8f8251a7f8feb8a61c4a584c3b238e4ffa03548b649bab718bbbb503c725d1409c271214ed5cdcc206afffef71de7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_вHخ.vbs

Filesize
401B

MD5
6d3c548fd789fdb84d59aa7e67f3602c

SHA1
8c5090a4107260c26ce0468403bbda009b39d500

SHA256
35e61490b859ad7db490ebba7af3ae88ee3edb11fd746666904c9a8eadf613fc

SHA512
d2af5c3af18fb6bf7b11c1be2b507ddd47a0a53e9f829473cb62517ea3b90eb9eef15021bfddcf1dda28ba49480dd029e5b62bf5ee0965aa758a9088c8cdaebc

Download Submit
C:\Windows Update\xZiOpxV\dwn_Ius.exe

Filesize
288KB

MD5
76e676af8a9ca94a6b09196995af6539

SHA1
7fc7ea90ff02624fc79ad6cf35b739e1c7169d99

SHA256
3a212dba3d1639a8c8d44249f626d36b46bad5b046cf49c60d0d646884451898

SHA512
85bd4685fc0da74cfd57a07edd4646c42708800258076f69a13f4929c64cd3bac08ccd25e43b8c053848abd772c5fb47f8d8cf3ad823af340a203b3e7224e0a4

Download Submit
C:\Windows Update\xZiOpxV\tik_XEfJkR.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Windows Update\xZiOpxV\tik_oePf.txt

Filesize
4B

MD5
d3accd33402becc720abebee93ebe193

SHA1
7362b81a747f7e757e03d0c4d2e20822d7f52bf5

SHA256
9f2a59a60e65fbcd5a3e1b7248adf92890ce3a32b19e43fb4751c2657196de13

SHA512
4becf1bca4f0375aa0262b27fd05d35c8868d0d79b2ead2d815eb3caff11a913516e7b9461094d9a0b61b33d6995c3947681222f35e93322862d2675bbab1a12

Download Submit
memory/1228-42-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/1228-0-0x000007FEF670E000-0x000007FEF670F000-memory.dmp

Filesize
4KB

Download
memory/1228-30-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/1228-3-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/1228-2-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/1228-50-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/1228-1-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-31-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-32-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-33-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-34-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-36-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download
memory/2016-37-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Filesize
9.6MB

Download