Analysis
-
max time kernel
92s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2023, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230221-en
5 signatures
150 seconds
General
-
Target
sample.exe
-
Size
7.0MB
-
MD5
ec55c594ad719296c3778165d15a6e03
-
SHA1
f37862384b8c96533025a1c5e8c1e9d016f94f5d
-
SHA256
50a4fbbf71d27bfffb438d40976030f4b1445cb446300ede262f276fb5527b00
-
SHA512
ba083cdbaaccd0eed8b0d9f094bcbd30c4c0368b1de66d23ce58ee1797aea12980df66a350aa574e2abf378ce777b72a971c8c35c4fb67341f6699dd178031e7
-
SSDEEP
49152:IgarPO37fzH4A6hanqNwMmnyH7Z7oinTf4bNO:ZarPO37fzH4A6h0NMmC8ir4Y
Score
10/10
Malware Config
Signatures
-
Detects MosaicLoader payload 5 IoCs
resource yara_rule behavioral2/memory/1932-134-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral2/memory/1932-139-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral2/memory/1932-136-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral2/memory/1932-140-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader behavioral2/memory/1932-142-0x0000000000400000-0x00000000004B7000-memory.dmp family_mosaicloader -
MosaicLoader
MosaicLoader has been first discovered in July 2021, written in C++.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe 4824 sample.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4824 sample.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77 PID 4824 wrote to memory of 1932 4824 sample.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵PID:1932
-