Analysis
-
max time kernel
135s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 23:47
Behavioral task
behavioral1
Sample
20879479e4f46888a7bb5d6a3a946900.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20879479e4f46888a7bb5d6a3a946900.exe
Resource
win10v2004-20231215-en
General
-
Target
20879479e4f46888a7bb5d6a3a946900.exe
-
Size
2.9MB
-
MD5
20879479e4f46888a7bb5d6a3a946900
-
SHA1
ef0cef3bf3c680599fe477f1ec34585571a2bf48
-
SHA256
e0eed2591854e891918ace5a80ed31a2274f1dd206e1beb03eadacf639df64ca
-
SHA512
f381398b842b02b24b12c7592f8253c89ed721efef63d340f2830063256a9309c5cd7c2906ca9f11a227596bdbab57a593baff38e746dea21653c26aaaf688ed
-
SSDEEP
49152:Iw7xM9pM/UBMaBjndAPGITVCD5P4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:vsM/UFlni6D5gg3gnl/IVUs1jePs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4992 20879479e4f46888a7bb5d6a3a946900.exe -
Executes dropped EXE 1 IoCs
pid Process 4992 20879479e4f46888a7bb5d6a3a946900.exe -
resource yara_rule behavioral2/memory/2092-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00070000000231eb-11.dat upx behavioral2/memory/4992-12-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2092 20879479e4f46888a7bb5d6a3a946900.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2092 20879479e4f46888a7bb5d6a3a946900.exe 4992 20879479e4f46888a7bb5d6a3a946900.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2092 wrote to memory of 4992 2092 20879479e4f46888a7bb5d6a3a946900.exe 94 PID 2092 wrote to memory of 4992 2092 20879479e4f46888a7bb5d6a3a946900.exe 94 PID 2092 wrote to memory of 4992 2092 20879479e4f46888a7bb5d6a3a946900.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\20879479e4f46888a7bb5d6a3a946900.exe"C:\Users\Admin\AppData\Local\Temp\20879479e4f46888a7bb5d6a3a946900.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\20879479e4f46888a7bb5d6a3a946900.exeC:\Users\Admin\AppData\Local\Temp\20879479e4f46888a7bb5d6a3a946900.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4992
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5a976c48874b3fe4caec4b6a89d81102b
SHA108eb7a5eb599ab817dd27fe10147a052d815cd10
SHA256669c5ea09782f925b8218ba13ee58721a55e801d6af4983224c013d47ca2042f
SHA512849ef648b9b829e55c6c328bcb5bd5e1476dbaad156fcb183186398b90576a7ddb40485cb5bd122a0f41307d6bc2c3b96c568c78dfa30e808904ef166bd9df05