Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2023, 15:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe
Resource
win10v2004-20230220-en
General
-
Target
581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe
-
Size
19.0MB
-
MD5
b8e7c5bb7a9669ef1bb8cad24fe1ba6a
-
SHA1
fae9bec58b12eb25db995fd6701442ed8f24a46b
-
SHA256
581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7
-
SHA512
3655a27a93be07e789afd2dde75cede5e114835583e01f71c51d27a7929f4e17b089d58fcf408e989bb3d88e542cab33398c21d4eec45a90dcdcc649f875abaf
-
SSDEEP
393216:fGZiYKGtAeGFiYKGtAeGFi0KGtAeGFi0K6tAjGFi0j8YY+:eZNH+FNH+FZH+FZrTFZDV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3884 581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1436 wrote to memory of 3884 1436 581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe 82 PID 1436 wrote to memory of 3884 1436 581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe 82 PID 1436 wrote to memory of 3884 1436 581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe"C:\Users\Admin\AppData\Local\Temp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\is-KRLNT.tmp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.tmp"C:\Users\Admin\AppData\Local\Temp\is-KRLNT.tmp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.tmp" /SL5="$501C0,19098918,780800,C:\Users\Admin\AppData\Local\Temp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.exe"2⤵
- Executes dropped EXE
PID:3884
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.254.224.20.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.254.224.20.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-KRLNT.tmp\581f8428d878f327176c24c378fd2e0e660bdfde9afa550e920164240049b9c7.tmp
Filesize2.9MB
MD5e1db7b0b4f4da66444fecc8484101a30
SHA115138fa43fbe820fa1d0bd0548f921623f5b0e3c
SHA256faf45ece49adb213d5afd54808d51cfa794b19935f3e1b148392cb0ae1e19a59
SHA51276bc4ce9c9db01598ff0e6bd38b013f642bd4ae4bf85c2fd1fd71bf513808980c7f5d92ea6fd235f7e37194d58f5e3c08c15829b002233367034ed58b367b5e2