b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e

Analysis

max time kernel
142s
max time network
122s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
11/12/2023, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe
Size

7.5MB
MD5

cc5db2764ea1b0d820b550aebd07f02c
SHA1

341027f1039a9b5c7ca0926e78abc333941df245
SHA256

b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e
SHA512

b31d6d9a4c159f2c18ed6913c943dba8f6e82af2b5492e19a0da7427e504764ec1dbef7076f1432d216355828383546b071145bda12a6d1acde9fe3094e7e9d2
SSDEEP

196608:lO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:478pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3400	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Loads dropped DLL 3 IoCs

pid	Process
3400	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
3400	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
3400	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-TLLIO.tmp	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-4MISO.tmp	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-035J0.tmp	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-AMBND.tmp	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-POTNM.tmp	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3400	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3400	1516	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe	73
PID 1516 wrote to memory of 3400	1516	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe	73
PID 1516 wrote to memory of 3400	1516	b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe	73

C:\Users\Admin\AppData\Local\Temp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe
"C:\Users\Admin\AppData\Local\Temp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\is-QS9VE.tmp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QS9VE.tmp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp" /SL5="$6019C,7611198,68096,C:\Users\Admin\AppData\Local\Temp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:3400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QS9VE.tmp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Filesize
27KB

MD5
35c193e80e59bfc6268ee3172713a640

SHA1
1e5334e8c7cba2224f43d62e043beb69064363a9

SHA256
6a4674bc69d9b62084cc5cf97fc93ca81c82bc31d7868e40d3558c3dbc025f96

SHA512
db259712f02ee60282f23a09db30c018e3a5d4c2c292c129b4d1d08d913247304235508d1fe9ea534f62f9c26c9274c4ee1e45e20ce4a75dd60edda561a81b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QS9VE.tmp\b4664bce05811dbb456b5102052ac0d5cf73806e76f39aeea6d9de830abae75e.tmp

Filesize
34KB

MD5
09987b920bdcda3c13f439164fdb73b1

SHA1
b0d8dbc46622c5af038070b5564fe4b058e036da

SHA256
18c8441cddc804a634422a302c25d7456658fbec95f37daa69d79a3c89a7cefc

SHA512
404e7fac6f8168562117b7d7171efb13609e6b0fd3da569a8453fe9b1198c6faf0bef7d4427a463344167f4a24cace53b0e334e54c153e67dc993b78bb49cb67

Download Submit
\Users\Admin\AppData\Local\Temp\is-P4HV0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-P4HV0.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/1516-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1516-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1516-36-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3400-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3400-37-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3400-40-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download