Analysis
-
max time kernel
122s -
max time network
225s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
0b316ec98c9320a130414c944ce757b6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0b316ec98c9320a130414c944ce757b6.exe
Resource
win10v2004-20231215-en
General
-
Target
0b316ec98c9320a130414c944ce757b6.exe
-
Size
907KB
-
MD5
0b316ec98c9320a130414c944ce757b6
-
SHA1
e020244caa929100ab776246597cd8516aed588a
-
SHA256
86df16f3d06cebd640d3ea90d2829353d3fd917c387c51074f00f28601a256a0
-
SHA512
e784a06520160f05c7ca1788fc694396896c6a37e98e850efbc5d3721964fa42606989eba364702131c60952093220ab24e35142b0e2abf2e54cc311905b1c45
-
SSDEEP
24576:zuMwJFlSyCG7jEdeaY/KpiIBkiZyVeR1Aa/ZS1:WJbh6m/LIBhKeR1AgS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2740 0b316ec98c9320a130414c944ce757b6.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 0b316ec98c9320a130414c944ce757b6.exe -
Loads dropped DLL 1 IoCs
pid Process 2596 0b316ec98c9320a130414c944ce757b6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2596 0b316ec98c9320a130414c944ce757b6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2596 0b316ec98c9320a130414c944ce757b6.exe 2740 0b316ec98c9320a130414c944ce757b6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2740 2596 0b316ec98c9320a130414c944ce757b6.exe 29 PID 2596 wrote to memory of 2740 2596 0b316ec98c9320a130414c944ce757b6.exe 29 PID 2596 wrote to memory of 2740 2596 0b316ec98c9320a130414c944ce757b6.exe 29 PID 2596 wrote to memory of 2740 2596 0b316ec98c9320a130414c944ce757b6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b316ec98c9320a130414c944ce757b6.exe"C:\Users\Admin\AppData\Local\Temp\0b316ec98c9320a130414c944ce757b6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\0b316ec98c9320a130414c944ce757b6.exeC:\Users\Admin\AppData\Local\Temp\0b316ec98c9320a130414c944ce757b6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190KB
MD5a4e09fe3fddb8ea8688b370fd700ed06
SHA1d019fa508bbfd637e4b8e2f2deeb7ff2bd3bcef6
SHA2561cf21730d0f7c596383e4814fbac976d8b1a7012a47034146f438afbdf3c8ba3
SHA512d68be611cc28865460f37207204999046b8f45f821202d4c25e6517d70d9fe868c05f203dc1e3f803b3583cad4d5a3261ab4bc0890b870bb17fc3d6db364939e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
76KB
MD57395e1124cc09d781809891ff0cb4928
SHA1de73611869605ff8f4dfeae887529e3a22d3f640
SHA256f8217d6e38203ce393b17828bb7d0446c4ca10960ca6f8e3be9f11cf1278b918
SHA51207acd933d92f79a651636a06b77bccee2d13983bffe480bf8fb171d4da74f5b9866e6c0a00d900df154a2552251e67b28b400032edb25ee7ca664455c5a46576
-
Filesize
907KB
MD5f263932a6220ff7be5ef416698ed0c1b
SHA10cf9a6e8fb3b32286680783f3388ea14735a59ce
SHA2565a938468e228834439fb5f4d8763715c26989e9f335ba04b277b2c0275f661fd
SHA512f517b8c384dc89bc94653bc2d631ef9a892a4338556e84ae2ba49427094135ba194e0f0849741e88e176ade3b60ef2286d267b0ddb0fd69cdb7847d05f0592d9