Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 18:09
Behavioral task
behavioral1
Sample
00169ea6e3ce70bddfda6c5befda3084.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
00169ea6e3ce70bddfda6c5befda3084.exe
Resource
win10v2004-20231215-en
General
-
Target
00169ea6e3ce70bddfda6c5befda3084.exe
-
Size
1.5MB
-
MD5
00169ea6e3ce70bddfda6c5befda3084
-
SHA1
4929f2714815c86f4e8d55fe40129501ae167eaa
-
SHA256
ad2b4ffeb87fa58af474e931cfc4271b473a36ec46945e61263e983fa21c502a
-
SHA512
7817328af2164029d6d53350f805cbf32f45a5feb989f7025123017160ba2f38253eb25eae689c7c643fbb7760341ce6098611775f7ed20f2a913ce8a7cba9fc
-
SSDEEP
24576:6tnn98igOKptGDwPffv3Xp+vlrUCr2Rze0HSnlhgsvR98RW:6NXgOKpwGffvJ+RU6WeASnlz9k
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2332 00169ea6e3ce70bddfda6c5befda3084.exe -
Executes dropped EXE 1 IoCs
pid Process 2332 00169ea6e3ce70bddfda6c5befda3084.exe -
Loads dropped DLL 1 IoCs
pid Process 2832 00169ea6e3ce70bddfda6c5befda3084.exe -
resource yara_rule behavioral1/memory/2832-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000012243-10.dat upx behavioral1/files/0x000a000000012243-15.dat upx behavioral1/memory/2332-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2832 00169ea6e3ce70bddfda6c5befda3084.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2832 00169ea6e3ce70bddfda6c5befda3084.exe 2332 00169ea6e3ce70bddfda6c5befda3084.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2332 2832 00169ea6e3ce70bddfda6c5befda3084.exe 28 PID 2832 wrote to memory of 2332 2832 00169ea6e3ce70bddfda6c5befda3084.exe 28 PID 2832 wrote to memory of 2332 2832 00169ea6e3ce70bddfda6c5befda3084.exe 28 PID 2832 wrote to memory of 2332 2832 00169ea6e3ce70bddfda6c5befda3084.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\00169ea6e3ce70bddfda6c5befda3084.exe"C:\Users\Admin\AppData\Local\Temp\00169ea6e3ce70bddfda6c5befda3084.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\00169ea6e3ce70bddfda6c5befda3084.exeC:\Users\Admin\AppData\Local\Temp\00169ea6e3ce70bddfda6c5befda3084.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2332
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD57fa4fe0474124afa4e5918bd2d8c6aaf
SHA1b247f56a0a16583e0db2e24c75d04a0fe767864f
SHA2561b9e9e0aebae8a3a1fbdef079c7a371ea3865ac8e15afa1192f7b9cfdf68d7bf
SHA512bac960c2740832efd58793e0d639a7510754a2ac7b7e6b3b91f3782d7c3625fb58489624486b6a9925700cf8a3673ffd935ee30d844e365034a6296db1ada43a
-
Filesize
456KB
MD59dbaec2f041ef4579c55e476c2f03dda
SHA1e673f7e6c4323863a1a421ea519fe3558fa217ab
SHA256a703efeea7b03124442b835bbbb8b577d144a07487a3fc3ec4150793ca727ab7
SHA512e34753245f686e1441e46fbf8d86bfa31063eb8d2347de0cc7059c8b74b53d148bdfde4a0d492ead5703a1e9d3b030728f6664f92c73913ef255e2eb4b8d4a1c