Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 06:26
Static task
static1
Behavioral task
behavioral1
Sample
9865456789TH.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
9865456789TH.exe
Resource
win10v2004-20231025-en
General
-
Target
9865456789TH.exe
-
Size
598KB
-
MD5
958cb95438ce3e87d4589459ad9f1dc1
-
SHA1
428567998143c6a0fd8cce178335fef7c26078a4
-
SHA256
94e024435cc8cafb2705bf98e9551feaa5d2ab426fcbcef9efde59fe9ccb9e53
-
SHA512
54596923d98f5708165e37b1f0e4ccecb5d89cb1a9b2b985fdc9176bb010bf790c9426ed7844793246852d4bec3324a86e3d87d81508e40c60e505fc942148e8
-
SSDEEP
12288:wY7Y+3xUeQyX7sfNSjTZZmel48MCaHg82TfsDKC7wYgJctv:wY7YWzwfNy8el4XA8SC7wYFN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3512 vlfaghzaa.exe 4164 vlfaghzaa.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3512 set thread context of 4164 3512 vlfaghzaa.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3512 vlfaghzaa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4164 vlfaghzaa.exe 4164 vlfaghzaa.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4584 wrote to memory of 3512 4584 9865456789TH.exe 87 PID 4584 wrote to memory of 3512 4584 9865456789TH.exe 87 PID 4584 wrote to memory of 3512 4584 9865456789TH.exe 87 PID 3512 wrote to memory of 4164 3512 vlfaghzaa.exe 89 PID 3512 wrote to memory of 4164 3512 vlfaghzaa.exe 89 PID 3512 wrote to memory of 4164 3512 vlfaghzaa.exe 89 PID 3512 wrote to memory of 4164 3512 vlfaghzaa.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\9865456789TH.exe"C:\Users\Admin\AppData\Local\Temp\9865456789TH.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"C:\Users\Admin\AppData\Local\Temp\vlfaghzaa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
682KB
MD569e1e1238920c650b5398afb5af3e844
SHA104d2165532b4b37ff897317a90b31c0833be35b7
SHA256f97a2c8e33f2da28a02e1c2349716f8dea91edee3fcd16b4f9b2cda12d588cf4
SHA5125df43fef3ef85125d036ff219fa02f6d97382c92260c9062783b67ba6c98f49a8afb7bb026d55cecbc9d9b93a3a255c35bf297d43ee58b27e004a10bebcfdd11
-
Filesize
165KB
MD5f32db1d909e9cf2c692f6586af892b6e
SHA19aa3f0f3acc59deea13f50f1d356f2db1d3dc079
SHA256f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9
SHA51231cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162
-
Filesize
165KB
MD5f32db1d909e9cf2c692f6586af892b6e
SHA19aa3f0f3acc59deea13f50f1d356f2db1d3dc079
SHA256f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9
SHA51231cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162
-
Filesize
165KB
MD5f32db1d909e9cf2c692f6586af892b6e
SHA19aa3f0f3acc59deea13f50f1d356f2db1d3dc079
SHA256f1383737a2b449e57fffc5c922bea3d79a367b3ae76928b08506f1983bc061c9
SHA51231cfcfaff95066cd5fe83baaef8bafb0cd64836cc252db766d680cb92f9fc191c3819a53bc17013d5f99d955a05ff2a6c741c1dd4ed362a563a981413e014162