8172182cc60b3a091cf272b7d3ce41d32d2c97968cfd888b43a1050b42183ba8

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c5f8911d8dcc8ee91efdc45eb5eca09.exe
Size

6.6MB
MD5

4c5f8911d8dcc8ee91efdc45eb5eca09
SHA1

9e50dd5ce32015f91ae27a2bd698162d573a7d8e
SHA256

8172182cc60b3a091cf272b7d3ce41d32d2c97968cfd888b43a1050b42183ba8
SHA512

15d7040e351323762cca2471d158b169b46d676011ca9b8718f26b82a6c92853565a77ef185523c76fdce5cdb85fd1ec9713a0efe9acb2cbba56c96d43c30ee1
SSDEEP

98304:fzNY4cYhTqOGFupWnR6h/r1xPszftGzKGTlM+xATUzcZgaM6Fa2IF0TW:rNY4HhTqFup0Y/hxctGzMPXiYFaT0TW

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	FireStarter.exe

Loads dropped DLL 7 IoCs

pid	Process
2036	FireStarter.exe
2036	FireStarter.exe
2036	FireStarter.exe
2036	FireStarter.exe
2036	FireStarter.exe
2036	FireStarter.exe
2036	FireStarter.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-0-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1656-154-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	FireStarter.exe
2036	FireStarter.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2036	1656	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	29
PID 1656 wrote to memory of 2036	1656	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	29
PID 1656 wrote to memory of 2036	1656	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	29
PID 1656 wrote to memory of 2036	1656	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	29
PID 1656 wrote to memory of 2036	1656	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	29

C:\Users\Admin\AppData\Local\Temp\4c5f8911d8dcc8ee91efdc45eb5eca09.exe
"C:\Users\Admin\AppData\Local\Temp\4c5f8911d8dcc8ee91efdc45eb5eca09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\temp\ojrkpaxaav\FireStarter.exe
  C:\Windows\temp\ojrkpaxaav\FireStarter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\ojrkpaxaav\CCUtils.dll

Filesize
59KB

MD5
1b911925e4bef0b3773f8cff42aed9f8

SHA1
ce57476734adacd475dc02a86a848b46ee8df5ff

SHA256
07ab97463ae9d99e8128a1fb49a72f40bd0c1edd892a011f962fb4bd098dd6ac

SHA512
641dda055361508b9646317d7e718d47635eaddc468c9fd0c59a350ce3a835584424aff4f76bfb857913f2be42e6b410f27c2cb10bc551b5cdab57555f8bcba1

Download Submit
C:\Windows\Temp\ojrkpaxaav\CoffeeFlash.dll

Filesize
92KB

MD5
368db4a2f7bfe04a775e95a1f7dd6096

SHA1
aa071aaf2bf7c4b27873c5f98d9a7e06e38ac5f4

SHA256
326cca00bc9e7cb3590325ab5d92e65323191c957db655938a754278c4c6dfd8

SHA512
694eb9f15945b1d9f2dd8e794f59c08fac1e71c9a4749c6eecd4ab005adfd056551195c7fb33afaf25c23eb5e11a359c83425d15ba01b819e20231b79e04a5c7

Download Submit
C:\Windows\Temp\ojrkpaxaav\FireStarter.exe

Filesize
1.4MB

MD5
a6eba81e82c35e48e55bcdd19a959ec3

SHA1
7d5e758df1017d4921081159882fdf102b9cf6d5

SHA256
205dcda26ea4874bd955df6e509b90c7e47593501c27f08b0d7e5022838276e3

SHA512
6057ecc0cca5b1f3e8160625c59872acea815ada632694ed6db12581ec4533f7a47d47b547b2f2c033eff8a9a0b1a496111b59c97964ac2b7dd35f52ac5bcf72

Download Submit
C:\Windows\Temp\ojrkpaxaav\a6flash.dll

Filesize
68KB

MD5
9dc67d3df57ccab63ed57cddc94a9bf9

SHA1
9f9dfa08ec690fa4c66f5de67255f15c838d60e2

SHA256
ec3bce0df619952edcf5619b82910cf09f9806b1f7ec75400641a776bb9d88e6

SHA512
03e26eb10726c53b449540e316058c86e5cb690acf5ba3c3145b245f81d8aa2bd8ba070415a4959798b9d22dbf7b3b1ccc48337241cba30cd42a9ee26af12de7

Download Submit
C:\Windows\temp\ojrkpaxaav\COFFEEFLASH.DLL

Filesize
344KB

MD5
07c5be2431e313cd432ad3a0cb4161cd

SHA1
22869bf747327d3c8c38ed8d27a99de45e2f661f

SHA256
a64164b8e992bf2f7bf36692894dc58ef3b776736a81faaa78d1ffabd4bbd73e

SHA512
a752e9cd98198362f337586fb747ee28dbd3d21c00d0535f3f904ed78299e6d5521f989cacdc150fbb3eb951729f23a3b69f6405accafb7a15067fa4671698a2

Download Submit
C:\Windows\temp\ojrkpaxaav\FireStarter.exe

Filesize
92KB

MD5
05f5ac3ce8385f58768f5d0239185db6

SHA1
870ca57dcca16a018c4b9321f9496d98d2fa7d40

SHA256
f70cdce61f5c646aa6e9b5e821bcb732a4fe83f722b660ffc5d411401491b905

SHA512
d1bfba656ca7c1fb43f3ba0767f9fea70504b0cff2e4fdce8281f10a60c611d109609d8538049c94fe686339f3eb65f04abe0b0047b91ab03f1076f6717957e7

Download Submit
memory/1656-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1656-1-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1656-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1656-160-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2036-146-0x0000000000F80000-0x0000000000F94000-memory.dmp

Filesize
80KB

Download
memory/2036-149-0x0000000001000000-0x0000000001058000-memory.dmp

Filesize
352KB

Download
memory/2036-151-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2036-156-0x0000000000F80000-0x0000000000F94000-memory.dmp

Filesize
80KB

Download
memory/2036-155-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download
memory/2036-161-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download