Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 07:38
Static task
static1
Behavioral task
behavioral1
Sample
9cf363fbedce9ffb27df68141303d9e070185953.exe
Resource
win7-20220901-en
General
-
Target
9cf363fbedce9ffb27df68141303d9e070185953.exe
-
Size
396KB
-
MD5
ede54566379dc00e28e2330dc4d9e96b
-
SHA1
9cf363fbedce9ffb27df68141303d9e070185953
-
SHA256
bf778ea445b149430eb6969bb6cb016bea268e5277bddbb4e0b2b96d14056400
-
SHA512
fbb65b28eec14fb3dd8028e4226f2b7e5239fa77262797c8dd40e22770efb2f23f38cdd9b639c9b885043c2eb3534a3b6caed874722527bd2ece9c95dc1f07eb
-
SSDEEP
12288:GlUV1s9uxQ0djHuDsIhXMbkEODKiuLnL7ZJAdGyO+:2uPb+uL5J+RO+
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 41 2716 cmd.exe 63 2716 cmd.exe 69 2716 cmd.exe 82 2716 cmd.exe 84 2716 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4792 vlc.exe -
Loads dropped DLL 2 IoCs
pid Process 4792 vlc.exe 4792 vlc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\vlc.job cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 vlc.exe 1044 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1044 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 4792 wrote to memory of 1044 4792 vlc.exe 82 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84 PID 1044 wrote to memory of 2716 1044 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf363fbedce9ffb27df68141303d9e070185953.exe"C:\Users\Admin\AppData\Local\Temp\9cf363fbedce9ffb27df68141303d9e070185953.exe"1⤵PID:4648
-
C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe"C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:2716
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD542efa98488feb44a3263486777867613
SHA188b9dfc35d69b8aaccf9b94490adf12bc18c3392
SHA25638d5e259f91bd4d5cacca1fa26aede7e07b4b1c05cf532ec844267ec3b10352a
SHA5123488d6d6178407818f093f7b952f2cc22e200d56b5f2788443e540da2f8566f5c60e7868bec77ac5218864bb59d83b0868ab3da59425ed1b2779349f6964a7e4
-
Filesize
349B
MD5231bb072bf60cee296270e77ef34db22
SHA18d6150c1131fe172624c94988ac8bd876e60f9bc
SHA2568800bc402755b217e8ff4b2ee7604293febfafc492aa29139f7cd55bfd053d02
SHA512ee672b0d9473cde3f084c547f7c052500dbfd2f58ea0a3980755cd2023c68ec8bc2497dd31ec79fe11c7eb5129ee7d1ba3e2a6f5c47851cd9cb94f22b185bcbe
-
Filesize
36KB
MD50bd497e905a9ebd04eb0ec6adaf27a23
SHA13b116c5ad39439994245e1a0b64d1fe7ff156ab9
SHA2560c8c431a1f589fdcf453c7afada63c2e2e2a887e49abdbb222983fa6044fdf66
SHA51296b42ee35b122b06e03c484e30752987e70e914badf931f66a43cc8eb5c807835c09e2ae8164edc311f2985341acd601996e3d81e8f0a699272fda9a157028b4
-
Filesize
172KB
MD508ba25a0598f94a2e9e52c7c7608f6f6
SHA1b2a91472e6dd04e7d74c6aec4122cdf8fde8e31c
SHA256072d31910b2a1cd83341bb8270fd2eebd8ca5a6e01fa0c6339e0867f59d2f29e
SHA5121dfa0a7886ed9d6f32ffb93af3df955dbe13e35532b6af5c10a82e360330e69a7e29e9dc410322a532e4ac632dd6c73dfc3a6b570f3f49e66e62e0ab4dfb672a
-
Filesize
172KB
MD508ba25a0598f94a2e9e52c7c7608f6f6
SHA1b2a91472e6dd04e7d74c6aec4122cdf8fde8e31c
SHA256072d31910b2a1cd83341bb8270fd2eebd8ca5a6e01fa0c6339e0867f59d2f29e
SHA5121dfa0a7886ed9d6f32ffb93af3df955dbe13e35532b6af5c10a82e360330e69a7e29e9dc410322a532e4ac632dd6c73dfc3a6b570f3f49e66e62e0ab4dfb672a
-
Filesize
2.5MB
MD57cb37d19125c7bde789d909cbb195a92
SHA1167557844fbfe7d9f5caac16db335ad4d8da487e
SHA256b08d45acc972574c39e6be64ab281e0d9c1fcd13ee1e245aa19d2eb73301ecc6
SHA5127aab773f86847cf8420ec01e5f6336a73e131ff6d24d99c2b7906029c2e127711bc1e150fe8319921761907ba1be83f244539e3e48df548bb5c596f70a8de1ec
-
Filesize
2.5MB
MD57cb37d19125c7bde789d909cbb195a92
SHA1167557844fbfe7d9f5caac16db335ad4d8da487e
SHA256b08d45acc972574c39e6be64ab281e0d9c1fcd13ee1e245aa19d2eb73301ecc6
SHA5127aab773f86847cf8420ec01e5f6336a73e131ff6d24d99c2b7906029c2e127711bc1e150fe8319921761907ba1be83f244539e3e48df548bb5c596f70a8de1ec
-
Filesize
938KB
MD54cf6217603dac78494d273bdd9a3de84
SHA166f9e3e9b40cd9e3e3d4d80791d8d166e908c7ad
SHA2561a403269242218a67e401c7e321bf466ef6b381bc7cb8a56ea77d504f7f81a44
SHA5128f1e4b9603063602ec2e19b6742dc5ecbd47c1a64428a2f0190d2a624eb8ccf5cb14f57261fab947725dc7f918c4ee13ca4e4ee8507f63f9585ec9c881894dd5
-
Filesize
938KB
MD54cf6217603dac78494d273bdd9a3de84
SHA166f9e3e9b40cd9e3e3d4d80791d8d166e908c7ad
SHA2561a403269242218a67e401c7e321bf466ef6b381bc7cb8a56ea77d504f7f81a44
SHA5128f1e4b9603063602ec2e19b6742dc5ecbd47c1a64428a2f0190d2a624eb8ccf5cb14f57261fab947725dc7f918c4ee13ca4e4ee8507f63f9585ec9c881894dd5