Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 13:47
Behavioral task
behavioral1
Sample
38969f654f563235674655e0f8b41564.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
38969f654f563235674655e0f8b41564.exe
Resource
win10v2004-20231215-en
General
-
Target
38969f654f563235674655e0f8b41564.exe
-
Size
5.8MB
-
MD5
38969f654f563235674655e0f8b41564
-
SHA1
38ba48abc89c446e181b26c133244dbd1afd2ea4
-
SHA256
cb7c3584ba94658628515b154ed577ae29afb4592ebef8e1723a169804bbc81b
-
SHA512
1fa7de850d8294ce8c7da71644394094e0480907669bd5552d90e15a70e8b97cc99a4cfc078d2aad3d9a24a5fa091b6fe20a1fde5dc06f3d1deaf8bc3f7cde67
-
SSDEEP
98304:g5Y6dSrbILhbpl4HBUCczzM3G7azKOmNb0uMyZmIZ4HBUCczzM3:3mSrM58WC1KOmFmbTWC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5084 38969f654f563235674655e0f8b41564.exe -
Executes dropped EXE 1 IoCs
pid Process 5084 38969f654f563235674655e0f8b41564.exe -
resource yara_rule behavioral2/memory/3448-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000400000001e96f-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3448 38969f654f563235674655e0f8b41564.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3448 38969f654f563235674655e0f8b41564.exe 5084 38969f654f563235674655e0f8b41564.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3448 wrote to memory of 5084 3448 38969f654f563235674655e0f8b41564.exe 89 PID 3448 wrote to memory of 5084 3448 38969f654f563235674655e0f8b41564.exe 89 PID 3448 wrote to memory of 5084 3448 38969f654f563235674655e0f8b41564.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\38969f654f563235674655e0f8b41564.exe"C:\Users\Admin\AppData\Local\Temp\38969f654f563235674655e0f8b41564.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\38969f654f563235674655e0f8b41564.exeC:\Users\Admin\AppData\Local\Temp\38969f654f563235674655e0f8b41564.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5084
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD597d3bc4e8b5e727e6727682f2d9963d4
SHA1017e6a9a3ec37bbdf905a73b66f31a7905e52653
SHA25611433f351c6f533b1eb5ffd2194aa1b693469dbdfe487044f75c54f39c98bfca
SHA5123a71a0265e904d8b2a3c39be18b7e09dc593c983b41ccc049e766127e5747853e21c0ef8162cb7928184886660edcd15b063ea636acf4d8a2568e82ee6348628