5d9849035ceaa13c950023ac6f72f46350bf79e9d61c26fb6e99311723a06d0c

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e654c9a9d50429e6518be707fa13436.exe
Size

133KB
MD5

1e654c9a9d50429e6518be707fa13436
SHA1

e754b7c316734e7dd684e7088cafd85f93dd96c5
SHA256

5d9849035ceaa13c950023ac6f72f46350bf79e9d61c26fb6e99311723a06d0c
SHA512

14c2e6e752f5cd0a2af94eabf4f3cb7510b32167ee03170c7e5132564caf64df8c4027dc872d7578ba25269ae9163cb53a19abbd58a033b4fc87340514678221
SSDEEP

3072:gXX+sTApmtsxL5lgIlOj5BPauIACn/fBjCvlQ:cXZUm2xvSSACn3BQQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2292	1e654c9a9d50429e6518be707fa13436.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	1e654c9a9d50429e6518be707fa13436.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	1e654c9a9d50429e6518be707fa13436.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012262-11.dat	upx
behavioral1/memory/2980-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2980	1e654c9a9d50429e6518be707fa13436.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2980	1e654c9a9d50429e6518be707fa13436.exe
2292	1e654c9a9d50429e6518be707fa13436.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2292	2980	1e654c9a9d50429e6518be707fa13436.exe	15
PID 2980 wrote to memory of 2292	2980	1e654c9a9d50429e6518be707fa13436.exe	15
PID 2980 wrote to memory of 2292	2980	1e654c9a9d50429e6518be707fa13436.exe	15
PID 2980 wrote to memory of 2292	2980	1e654c9a9d50429e6518be707fa13436.exe	15

C:\Users\Admin\AppData\Local\Temp\1e654c9a9d50429e6518be707fa13436.exe
C:\Users\Admin\AppData\Local\Temp\1e654c9a9d50429e6518be707fa13436.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2292

C:\Users\Admin\AppData\Local\Temp\1e654c9a9d50429e6518be707fa13436.exe
"C:\Users\Admin\AppData\Local\Temp\1e654c9a9d50429e6518be707fa13436.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab844F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Local\Temp\1e654c9a9d50429e6518be707fa13436.exe

Filesize
133KB

MD5
ced2bad85217086ad90d26cbb74094bf

SHA1
7f22942a00a36915aeeb98d34f4802c796a4c76b

SHA256
bac08a36e32d750131a985723f4599de7d2c1a9ac7f7343763100cd4996ac27f

SHA512
be9a0a545fda7a96d11656511f5b24359b3c1c74a84d9b9a724d854bc20f37472ea03819bead935b7615fc82405d8cc53799e6f8bf3658f2dcc7a7115636d28c

Download Submit
memory/2292-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2292-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2292-41-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2980-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2980-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2980-15-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2980-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download