Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 22:31
Behavioral task
behavioral1
Sample
1e885063fbb0203ce46a571898f9400c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1e885063fbb0203ce46a571898f9400c.exe
Resource
win10v2004-20231215-en
General
-
Target
1e885063fbb0203ce46a571898f9400c.exe
-
Size
527KB
-
MD5
1e885063fbb0203ce46a571898f9400c
-
SHA1
8f9027cfe639eea3aeaf8fb6ae28c78684b035f8
-
SHA256
851468f5348c539679922e3fdbd01bf079956087c15ab6d7f0f9ad4682831086
-
SHA512
2aa2a8e45e042400c615644c2079c802f042b3b71ac6509fe85d97b08cda2a369fdbc16f0953bc53c1ba08fdc6f42f8c75e327c45f6cb5ecdead7bb0cb31ccfc
-
SSDEEP
6144:Pnuyn2fQ6ktHznbQQ7wYoVrXWooNtKlCTc9jHe6VuzdFPZGzLI2hXWaBn4GgmRh6:PT2Y19UVVrXboCzE2lBFr5z2/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2188 1e885063fbb0203ce46a571898f9400c~.exe -
Loads dropped DLL 4 IoCs
pid Process 2184 1e885063fbb0203ce46a571898f9400c.exe 2188 1e885063fbb0203ce46a571898f9400c~.exe 2188 1e885063fbb0203ce46a571898f9400c~.exe 2188 1e885063fbb0203ce46a571898f9400c~.exe -
resource yara_rule behavioral1/memory/2184-0-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2184-11-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVP32 = "C:\\Users\\Admin\\AppData\\Roaming\\svxost.exe" 1e885063fbb0203ce46a571898f9400c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28 PID 2184 wrote to memory of 2188 2184 1e885063fbb0203ce46a571898f9400c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e885063fbb0203ce46a571898f9400c.exe"C:\Users\Admin\AppData\Local\Temp\1e885063fbb0203ce46a571898f9400c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\1e885063fbb0203ce46a571898f9400c~.exeC:\Users\Admin\AppData\Local\Temp\\1e885063fbb0203ce46a571898f9400c~.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD542040305f6418adec94913387ada8070
SHA1a6492f5cf915b07413c29698359f13bea440ff08
SHA256dec837086904ebb591566f60027c64b01c2dd722e17c5edda33b6a7bcb7e1efb
SHA512bd24ac488ec13e142563df60aca315bcf3b9214681d86bd07dd6da9e6611d551ad8cc9492c8f5cddcb7bed12ce01e0df042bd5ed0c06fb4befaf91b398d288e1