Analysis
-
max time kernel
142s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 05:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57fea7de50ed43f58a8e1a71c1f128c7.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
57fea7de50ed43f58a8e1a71c1f128c7.exe
Resource
win10v2004-20231222-en
6 signatures
150 seconds
General
-
Target
57fea7de50ed43f58a8e1a71c1f128c7.exe
-
Size
385KB
-
MD5
57fea7de50ed43f58a8e1a71c1f128c7
-
SHA1
48c66878e56784515ed510dbd3b226521b47e142
-
SHA256
aa203466cf686e4e6e2bfd9a962378122882a8a03b05c2cd969820d61731a1ff
-
SHA512
9813fb3b0c59ce73e118a0076750c82fac57ab80f04ae7f0da361ccb69e987f319b734cbdf92032a98218e5a6554a96db447ce55752b63ce8380b92b2a9c5d75
-
SSDEEP
6144:Za0xJDNAD25tV6pMO9GchYrQjK3Gw6G7PK15zX9kQj6Z63CoMSchjunEW06Qn+7W:ZnxLAD2TV895G3GwhC15zNblxcr9+gB
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4392 57fea7de50ed43f58a8e1a71c1f128c7.exe -
Executes dropped EXE 1 IoCs
pid Process 4392 57fea7de50ed43f58a8e1a71c1f128c7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1408 57fea7de50ed43f58a8e1a71c1f128c7.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1408 57fea7de50ed43f58a8e1a71c1f128c7.exe 4392 57fea7de50ed43f58a8e1a71c1f128c7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1408 wrote to memory of 4392 1408 57fea7de50ed43f58a8e1a71c1f128c7.exe 21 PID 1408 wrote to memory of 4392 1408 57fea7de50ed43f58a8e1a71c1f128c7.exe 21 PID 1408 wrote to memory of 4392 1408 57fea7de50ed43f58a8e1a71c1f128c7.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fea7de50ed43f58a8e1a71c1f128c7.exe"C:\Users\Admin\AppData\Local\Temp\57fea7de50ed43f58a8e1a71c1f128c7.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\57fea7de50ed43f58a8e1a71c1f128c7.exeC:\Users\Admin\AppData\Local\Temp\57fea7de50ed43f58a8e1a71c1f128c7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4392
-