Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
Resource
win10v2004-20240508-en
General
-
Target
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
-
Size
8.5MB
-
MD5
f87fe42f687b5960b4b1bd73e6a9aae9
-
SHA1
4425a5fabfd6900d539a57504e1c2b2c730028b4
-
SHA256
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e
-
SHA512
3cd2cb1c315ccf5f5c4b565ec65f394bb6a9cc977ecd5f92598739cf6ac07f8a544fac5976960c474011acd08be39777c87ddeae0f7525641ce65e598029c971
-
SSDEEP
196608:yKPX6QBPR9pBhoxI5DQo7yH+LH6GzpbFqKK+27CwXlOBZY++Vd:yjUp9W0DR7awaGzpAKKNn1g4d
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hexer.exehexer.exepid process 2100 hexer.exe 2816 hexer.exe -
Loads dropped DLL 4 IoCs
Processes:
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exehexer.exehexer.exepid process 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe 1972 2100 hexer.exe 2816 hexer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2104 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exehexer.exedescription pid process target process PID 1216 wrote to memory of 2104 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe powershell.exe PID 1216 wrote to memory of 2104 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe powershell.exe PID 1216 wrote to memory of 2104 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe powershell.exe PID 1216 wrote to memory of 2104 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe powershell.exe PID 1216 wrote to memory of 2100 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe hexer.exe PID 1216 wrote to memory of 2100 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe hexer.exe PID 1216 wrote to memory of 2100 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe hexer.exe PID 1216 wrote to memory of 2100 1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe hexer.exe PID 2100 wrote to memory of 2816 2100 hexer.exe hexer.exe PID 2100 wrote to memory of 2816 2100 hexer.exe hexer.exe PID 2100 wrote to memory of 2816 2100 hexer.exe hexer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe"C:\Users\Admin\AppData\Local\Temp\10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIABBAGcAYQBpAG4AIABJAGYAIABEAG8AdwBuAGwAbwBhAGQAZQByACAARABvAGUAcwBuACcAJwB0ACAAUwB0AGEAcgB0ACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBhAG0AbAAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\hexer.exe"C:\Users\Admin\AppData\Local\Temp\hexer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\hexer.exe"C:\Users\Admin\AppData\Local\Temp\hexer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\hexer.exeFilesize
11.0MB
MD5e0256c393dad7f741f377ce57a4a485d
SHA1ca36e8fad3a382d5ca249a59b1188f7f83a84d7a
SHA256bde6827d265c6182a7533b1affa5111378e8246b90f5353d3acd00c16f2451b5
SHA512665ae5ae56f46768efbcd2781dde9cc5b46f2a28e733758756d3cd8849b261d2e26668b446519832b9699dfead1d9560e281a5ad7acb5931c29722285f530f4b
-
C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\python310.dllFilesize
4.2MB
MD5384349987b60775d6fc3a6d202c3e1bd
SHA1701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA5126bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5
-
\Users\Admin\AppData\Local\Temp\hexer.exeFilesize
8.5MB
MD5219dd0008f3aead1f7d62ab0adbf28bb
SHA105fa2cec4388d41278e55d00b5f9db65d0e381d8
SHA256836fc78d60b1b6cbef077c7d7a2eae626d0b5e63cf6ee4e0d9652978b80623f2
SHA5121e1bb4ad835cd54a1b124e5fdb4066ca56f46ef51308d5abf89f7d5e2c58d39be9cc71ce9978660f3804e6cc19a2bb73f1599294b850e8ff93986bd70d85faf2