Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/04/2023, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230221-en
5 signatures
150 seconds
General
-
Target
sample.exe
-
Size
7.0MB
-
MD5
ec55c594ad719296c3778165d15a6e03
-
SHA1
f37862384b8c96533025a1c5e8c1e9d016f94f5d
-
SHA256
50a4fbbf71d27bfffb438d40976030f4b1445cb446300ede262f276fb5527b00
-
SHA512
ba083cdbaaccd0eed8b0d9f094bcbd30c4c0368b1de66d23ce58ee1797aea12980df66a350aa574e2abf378ce777b72a971c8c35c4fb67341f6699dd178031e7
-
SSDEEP
49152:IgarPO37fzH4A6hanqNwMmnyH7Z7oinTf4bNO:ZarPO37fzH4A6h0NMmC8ir4Y
Score
10/10
Malware Config
Signatures
-
Detects MosaicLoader payload 6 IoCs
resource yara_rule behavioral1/memory/1772-55-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral1/memory/1772-57-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral1/memory/1772-59-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral1/memory/1772-60-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral1/memory/1772-62-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral1/memory/1772-63-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader -
MosaicLoader
MosaicLoader has been first discovered in July 2021, written in C++.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe 1340 sample.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28 PID 1340 wrote to memory of 1772 1340 sample.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵PID:1772
-