Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 12:52
Behavioral task
behavioral1
Sample
90b756764ad408cdd3ac6cafb7c1bfb8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
90b756764ad408cdd3ac6cafb7c1bfb8.exe
Resource
win10v2004-20231215-en
General
-
Target
90b756764ad408cdd3ac6cafb7c1bfb8.exe
-
Size
6.2MB
-
MD5
90b756764ad408cdd3ac6cafb7c1bfb8
-
SHA1
94cd07535f0f613f5d38fa23b7c970adbe7b4823
-
SHA256
a9db58e1f44a7fb8dbd4551d33befb2296cbe0d4fd1e4686b0384d4adabc5cf8
-
SHA512
51f9f96f800175ca58acacebaf047eefbe64a93e9202e5a53ba52f6818bb911bdba999f082aded24d290b31ba64d3a15c8412ed74b8e860ee48bc93cc5f4e700
-
SSDEEP
196608:tBJwk8uCfNP2BqikjY+03zs1tRB4r8ZxzX:trV8ua8Tkj6Y1t8ar
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
Loads dropped DLL 3 IoCs
pid Process 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect behavioral1/memory/3016-1-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect behavioral1/files/0x000b0000000155e6-12.dat vmprotect behavioral1/files/0x000b0000000155e6-10.dat vmprotect behavioral1/files/0x000b0000000155e6-8.dat vmprotect behavioral1/files/0x000b0000000155e6-6.dat vmprotect behavioral1/memory/2776-14-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect behavioral1/memory/2776-16-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect behavioral1/memory/3016-19-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect behavioral1/files/0x000b0000000155e6-20.dat vmprotect behavioral1/files/0x0035000000016fc4-23.dat vmprotect behavioral1/memory/2776-26-0x0000000074860000-0x0000000074B8D000-memory.dmp vmprotect behavioral1/memory/2776-31-0x0000000000400000-0x0000000001567000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe 2776 1B0D0F0B120E156F155F15D0F0B160C0C160B.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2776 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 28 PID 3016 wrote to memory of 2776 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 28 PID 3016 wrote to memory of 2776 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 28 PID 3016 wrote to memory of 2776 3016 90b756764ad408cdd3ac6cafb7c1bfb8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exeC:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD544982bcbd3a2451db80c6281c210b8cd
SHA11a0f4f39f033e2d344a99fbc70c64c0b9ccf4005
SHA256151a693bdc7be9d953c138a3fa3ca831a52435086cf38ba1545d4a5295e3903b
SHA5126b1140b1ea4ac58f724771d7016641cdf02d6a22269fc6cc54b1589feb873840233648d1e254e32b818d048f3c4b7c088df34e22b36e0f2e26e9b6cbd4fff03b
-
Filesize
120B
MD52d3f65b69bf57e23f27cb3cf549f7e3f
SHA154bffeb759310d5fa08c4054ef02e07ab76cb426
SHA256c09160b7f4cc97f76cf159c680364cd6874e799c1a68168a532234c07d8cb868
SHA512510b6145cafa11deea7428b6f30134785825862cc3d620183ebc370a1c679f6f7cb93a3d47c102980e14f8ec9d5775739d812b4790287532ba244b387499e2d3
-
Filesize
120KB
MD57359109ead98380983e77bac5fb4eb5a
SHA12157a844342aeb4c46fb1ec89d34cd8160ea9205
SHA256583b2c7cda8898ea5b664810c91b86ba1b012e098e97b4226db6d8d05825bb33
SHA5120cefd67cc64bbeb97b797bab2d087d28a1d1804aa860bef34fbd00b8540a326c64505d7f429d8f7a1c9011a106495bd0648039bce73fcafeec8354e70d6bfe92
-
Filesize
611KB
MD54d44c43792556837c7b08e4ceee83cb6
SHA146e635f2439ca2bdad3bf49e525f1a462f16bc65
SHA2565c2bc92ec2efcb73d5fdc580d84704dd97ecaa5f2d617c85b2708bf43aa31683
SHA5127bc7ef88779d16311275a1eb5fd2010fdb20ba1560146935136f14a4e18f9b774163c52dcf49fced07f3ce3e01025892c292a55b2842538620c99eede9a579fc
-
Filesize
580KB
MD5bc066787d7b5c455304233759bd2fb2b
SHA1734c31a1b9948c110326bbd41023f74bc0373561
SHA25659f0b9086bb60c3298e115a34b1686bfe4cf046e7d0661e8c6d85ef5a1e59287
SHA512cc88084303b78bf309f4de569da0e19058a91f7b4c4d54bb120984b91211df35439c73ea511b0c6b4dcce64a65bb8785dc7f0e79ab3e37d379a7aad27361f30a
-
Filesize
217KB
MD5ef65c95d77b45554b88292633dfe011c
SHA11ed63a17fc2752d2b2c9bec1b5bbad95886916d9
SHA256a8b8abfa22fd6785a37e866a416a5d498ffbf16c179fb2face23270ad9d79cbf
SHA5122d86826a4f0412b384e354f6dec02f20fc9fc19b63589bd7748bf16eb785233808e7be902161e38beee54b02773434f367acc33293fa3ec9f0afe04547d836fb