cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5462051b36b09b653e2933d2c0223d01.exe
Size

295KB
MD5

5462051b36b09b653e2933d2c0223d01
SHA1

ade00ae20fd3a9568127a0bd1269fe4eb4a597ff
SHA256

cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141
SHA512

b6a680203ac72a96a47ae9e4e2e5ebff212e43530d9dd8f353496849573fc3f8d265acc77676ab5f98f7183a8aa9c00e0442ffc4bfb36d7a7cc2156bc473a457
SSDEEP

6144:Ccr3o6DxHg45rb2gmFVUHJ99Ol/0Pq67YO6Y6w+m+CI1fe25JoS:Ccr7xHNb2gV7Akq674Y61m+Cwfe25JoS

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	neter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/files/0x0008000000012281-3.dat	upx
behavioral1/files/0x0008000000012281-6.dat	upx
behavioral1/memory/2256-13-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/2828-18-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/1540-21-0x0000000000400000-0x0000000000493000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 2828	1540	neter.exe	29

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetMeeting\neter.exe	5462051b36b09b653e2933d2c0223d01.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2848	2256	5462051b36b09b653e2933d2c0223d01.exe	31
PID 2256 wrote to memory of 2848	2256	5462051b36b09b653e2933d2c0223d01.exe	31
PID 2256 wrote to memory of 2848	2256	5462051b36b09b653e2933d2c0223d01.exe	31
PID 2256 wrote to memory of 2848	2256	5462051b36b09b653e2933d2c0223d01.exe	31
PID 1540 wrote to memory of 2828	1540	neter.exe	29
PID 1540 wrote to memory of 2828	1540	neter.exe	29
PID 1540 wrote to memory of 2828	1540	neter.exe	29
PID 1540 wrote to memory of 2828	1540	neter.exe	29
PID 1540 wrote to memory of 2828	1540	neter.exe	29
PID 1540 wrote to memory of 2828	1540	neter.exe	29

C:\Users\Admin\AppData\Local\Temp\5462051b36b09b653e2933d2c0223d01.exe
"C:\Users\Admin\AppData\Local\Temp\5462051b36b09b653e2933d2c0223d01.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\344649.bat
  2⤵
  - Deletes itself
  PID:2848

C:\Program Files (x86)\NetMeeting\neter.exe
"C:\Program Files (x86)\NetMeeting\neter.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" 42408
  2⤵
  PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetMeeting\neter.exe

Filesize
295KB

MD5
5462051b36b09b653e2933d2c0223d01

SHA1
ade00ae20fd3a9568127a0bd1269fe4eb4a597ff

SHA256
cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141

SHA512
b6a680203ac72a96a47ae9e4e2e5ebff212e43530d9dd8f353496849573fc3f8d265acc77676ab5f98f7183a8aa9c00e0442ffc4bfb36d7a7cc2156bc473a457

Download Submit
C:\Program Files (x86)\NetMeeting\neter.exe

Filesize
137KB

MD5
f5efa57f3b788f14894aeba3365a3a55

SHA1
262aba2f72ed47fb0f2b6129a54753e7a8e8d629

SHA256
aea43f53edd2e0a7c01ffc52e7d154a1a2e352573a78ef6c1a282701d673f7fa

SHA512
61902a0a3b1690a32cda466748803f76acb7437f069eebd8aa5770fbfaefaac72bbe2643963ebee357c6915a74fba6cb8d587664535a46070005693e00a94d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\344649.bat

Filesize
190B

MD5
960808eed1bb606157543fdaecc8c4cc

SHA1
c313978984138441f82fe13ae27fafe547b5ac66

SHA256
2a5256772b3ba9c77b44e0985eb1684bb6aa9d5274e24a58f16c26a6df6d98a3

SHA512
10f4143a1c2d30d9b01602c8f893d0ef733b406f0adb4499533c6446a8c43b9783e02f96b1d9462815edaee4babcd895846aee45927399714390de3431786d05

Download Submit
memory/1540-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1540-21-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2256-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2256-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2256-13-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2828-16-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2828-18-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2828-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download