1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da

Analysis

max time kernel
161s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe
Size

17.9MB
MD5

2a11a8b2e374f4d424520b064d1a7510
SHA1

8a369d405ddc090ebe863ae898b10711ea803249
SHA256

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da
SHA512

2c4ba1813a775a6004ce99e19986a305b775f925ea92bb6cb5736c311e6b686bf7d7034ba452be18a087654a4b0a1ecda702684226d085b74abefe04bbd50df1
SSDEEP

393216:mxPKRgO/lT0g0WNBETGe0OxSrwH/+ktI1oc4KqZNhoUuyuwAilbICOO5/yu:IOgO/p0BCyae02BH2kmt4Kqdw5wAS/yu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp

pid process

3388 1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
Loads dropped DLL 1 IoCs

Processes:

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp

pid process

3388 1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp

pid	process
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
3388	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe

description	pid	process	target process
PID 2676 wrote to memory of 3388	2676	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
PID 2676 wrote to memory of 3388	2676	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
PID 2676 wrote to memory of 3388	2676	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe	1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp

C:\Users\Admin\AppData\Local\Temp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe
"C:\Users\Admin\AppData\Local\Temp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\is-HC2PH.tmp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HC2PH.tmp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp" /SL5="$70058,18225132,542208,C:\Users\Admin\AppData\Local\Temp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HC2PH.tmp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
Filesize
1.5MB

MD5
0306c3c527e6a70b28443fb16ecd7f69

SHA1
9a985dccb87e23dd84fe631d803a8cbcf78c97ea

SHA256
dd09e2d1d56d10598a6e125d90c484b74dc2ff52f0839931fcf13cd1ad58d23a

SHA512
ad518e1e4e8cb3f47acd30a9bd74193bb87cfbcf345dc2a810d8879334e9ea7e9590fdafeac69f2db2dcbdf6e786540a72e9e542cf7f072cc70238c0fb21c9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HC2PH.tmp\1ebe9fbadc6f5eeecae49bf77a5eb3139afcbd72c49cd3ee8e8fd6ac141461da.tmp
Filesize
1.5MB

MD5
0306c3c527e6a70b28443fb16ecd7f69

SHA1
9a985dccb87e23dd84fe631d803a8cbcf78c97ea

SHA256
dd09e2d1d56d10598a6e125d90c484b74dc2ff52f0839931fcf13cd1ad58d23a

SHA512
ad518e1e4e8cb3f47acd30a9bd74193bb87cfbcf345dc2a810d8879334e9ea7e9590fdafeac69f2db2dcbdf6e786540a72e9e542cf7f072cc70238c0fb21c9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JD5M8.tmp\InstallerExtensions.dll
Filesize
111KB

MD5
1b2283c1947ae323111fc25762d326fc

SHA1
33eaa2d7ef858261a55f264269dadefc5ef693fa

SHA256
9a083bee715c61899118fb03ebf792613854d641a4e8b420c481baf72ca0736d

SHA512
2e5eac50e2ff4f07b9dfc34652b0b7d86d7a2e49c5b34c178f6229775dc83b69b475dc37135a7e7021be391031bca7db705ee3f584d1d3ca1a432fb420139a98

Download Submit
memory/2676-132-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2676-137-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3388-134-0x0000000000000000-mapping.dmp

Download