Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
Resource
win7-20231025-en
General
-
Target
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
-
Size
876KB
-
MD5
e9ba2885410d8268bbe09ed3be2dc330
-
SHA1
fee5b506fe9ee93d63672811d220c3b75d008944
-
SHA256
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1
-
SHA512
fece2495b994144b6789d6ea23fb933e2675de32ef1501663982aaf08c9cbb347180a8dbd09152687a168f89991cd4ff247367b6547ec11c6d8c16d8b67ea44d
-
SSDEEP
12288:zFw4uHq/pj5lOVtHpff9/TaHNQEiPPPOjFCN/XCUY03j37zUi:zP/p1lgtJX9ratOejFkBY03r
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2720 f763ab0.tmp -
Loads dropped DLL 1 IoCs
pid Process 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe -
resource yara_rule behavioral1/memory/2720-49-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-53-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-55-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-54-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-57-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-61-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-66-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-69-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-71-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-73-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-77-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-79-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-83-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-86-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-90-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-94-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-97-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-100-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-103-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-106-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-108-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2720-109-0x0000000010000000-0x000000001003E000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0020000000015c47-4.dat vmprotect behavioral1/files/0x0020000000015c47-5.dat vmprotect behavioral1/files/0x0020000000015c47-7.dat vmprotect behavioral1/files/0x0020000000015c47-8.dat vmprotect behavioral1/memory/2720-14-0x0000000000400000-0x0000000002B9C000-memory.dmp vmprotect behavioral1/memory/2720-75-0x0000000000400000-0x0000000002B9C000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2720 f763ab0.tmp 2720 f763ab0.tmp -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 2720 f763ab0.tmp 2720 f763ab0.tmp 2720 f763ab0.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30 PID 3012 wrote to memory of 2720 3012 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmpC:\Users\Admin\AppData\Local\Temp\f763ab0.tmp2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415