Analysis
-
max time kernel
155s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
Resource
win7-20231025-en
General
-
Target
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
-
Size
876KB
-
MD5
e9ba2885410d8268bbe09ed3be2dc330
-
SHA1
fee5b506fe9ee93d63672811d220c3b75d008944
-
SHA256
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1
-
SHA512
fece2495b994144b6789d6ea23fb933e2675de32ef1501663982aaf08c9cbb347180a8dbd09152687a168f89991cd4ff247367b6547ec11c6d8c16d8b67ea44d
-
SSDEEP
12288:zFw4uHq/pj5lOVtHpff9/TaHNQEiPPPOjFCN/XCUY03j37zUi:zP/p1lgtJX9ratOejFkBY03r
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4408 e585e28.tmp -
resource yara_rule behavioral2/memory/4408-19-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-21-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-23-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-27-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-35-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-37-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-46-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-54-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-56-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-58-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-60-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-65-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-67-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-71-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-69-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4408-72-0x0000000010000000-0x000000001003E000-memory.dmp upx -
resource yara_rule behavioral2/files/0x00090000000230ae-5.dat vmprotect behavioral2/files/0x00090000000230ae-4.dat vmprotect behavioral2/files/0x00090000000230ae-6.dat vmprotect behavioral2/memory/4408-13-0x0000000000400000-0x0000000002B9C000-memory.dmp vmprotect behavioral2/memory/4408-16-0x0000000000400000-0x0000000002B9C000-memory.dmp vmprotect behavioral2/memory/4408-50-0x0000000000400000-0x0000000002B9C000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4408 e585e28.tmp 4408 e585e28.tmp 4408 e585e28.tmp 4408 e585e28.tmp -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2688 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 2688 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 4408 e585e28.tmp 4408 e585e28.tmp 4408 e585e28.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2688 wrote to memory of 4408 2688 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 104 PID 2688 wrote to memory of 4408 2688 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 104 PID 2688 wrote to memory of 4408 2688 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\e585e28.tmpC:\Users\Admin\AppData\Local\Temp\e585e28.tmp2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415
-
Filesize
16.5MB
MD5ab4d9ec45b79e2c85a42ad41903c88a9
SHA160f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415