0e50bc102add7e11d679e63a50591f3744bba3b3b97e75a788a21c99b7200e4f

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
Size

8.5MB
MD5

f87fe42f687b5960b4b1bd73e6a9aae9
SHA1

4425a5fabfd6900d539a57504e1c2b2c730028b4
SHA256

10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e
SHA512

3cd2cb1c315ccf5f5c4b565ec65f394bb6a9cc977ecd5f92598739cf6ac07f8a544fac5976960c474011acd08be39777c87ddeae0f7525641ce65e598029c971
SSDEEP

196608:yKPX6QBPR9pBhoxI5DQo7yH+LH6GzpbFqKK+27CwXlOBZY++Vd:yjUp9W0DR7awaGzpAKKNn1g4d

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

hexer.exehexer.exe

pid process

2100 hexer.exe
2816 hexer.exe
Loads dropped DLL 4 IoCs

Processes:

10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exehexer.exehexer.exe

pid process

1216 10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
1972
2100 hexer.exe
2816 hexer.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2104 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2104 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2104 powershell.exe

pid	process
2100	hexer.exe
2816	hexer.exe

pid	process
1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
1972
2100	hexer.exe
2816	hexer.exe

pid	process
2104	powershell.exe

pid	process
2104	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2104	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exehexer.exe

description	pid	process	target process
PID 1216 wrote to memory of 2104	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	powershell.exe
PID 1216 wrote to memory of 2104	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	powershell.exe
PID 1216 wrote to memory of 2104	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	powershell.exe
PID 1216 wrote to memory of 2104	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	powershell.exe
PID 1216 wrote to memory of 2100	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	hexer.exe
PID 1216 wrote to memory of 2100	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	hexer.exe
PID 1216 wrote to memory of 2100	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	hexer.exe
PID 1216 wrote to memory of 2100	1216	10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe	hexer.exe
PID 2100 wrote to memory of 2816	2100	hexer.exe	hexer.exe
PID 2100 wrote to memory of 2816	2100	hexer.exe	hexer.exe
PID 2100 wrote to memory of 2816	2100	hexer.exe	hexer.exe

C:\Users\Admin\AppData\Local\Temp\10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe
"C:\Users\Admin\AppData\Local\Temp\10b3c6068f0a789fb58f35230fdf9ab01f54aba30cf50fb06566f09568df7d1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIABBAGcAYQBpAG4AIABJAGYAIABEAG8AdwBuAGwAbwBhAGQAZQByACAARABvAGUAcwBuACcAJwB0ACAAUwB0AGEAcgB0ACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBhAG0AbAAjAD4A"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\hexer.exe
"C:\Users\Admin\AppData\Local\Temp\hexer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\hexer.exe
"C:\Users\Admin\AppData\Local\Temp\hexer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\hexer.exe
Filesize
11.0MB

MD5
e0256c393dad7f741f377ce57a4a485d

SHA1
ca36e8fad3a382d5ca249a59b1188f7f83a84d7a

SHA256
bde6827d265c6182a7533b1affa5111378e8246b90f5353d3acd00c16f2451b5

SHA512
665ae5ae56f46768efbcd2781dde9cc5b46f2a28e733758756d3cd8849b261d2e26668b446519832b9699dfead1d9560e281a5ad7acb5931c29722285f530f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2100_133642806940026000\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
\Users\Admin\AppData\Local\Temp\hexer.exe
Filesize
8.5MB

MD5
219dd0008f3aead1f7d62ab0adbf28bb

SHA1
05fa2cec4388d41278e55d00b5f9db65d0e381d8

SHA256
836fc78d60b1b6cbef077c7d7a2eae626d0b5e63cf6ee4e0d9652978b80623f2

SHA512
1e1bb4ad835cd54a1b124e5fdb4066ca56f46ef51308d5abf89f7d5e2c58d39be9cc71ce9978660f3804e6cc19a2bb73f1599294b850e8ff93986bd70d85faf2

Download Submit