Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 19:03
Static task
static1
Behavioral task
behavioral1
Sample
3acf8f746f2e1a1b5d7681cdfdb72e84.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
3acf8f746f2e1a1b5d7681cdfdb72e84.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
3acf8f746f2e1a1b5d7681cdfdb72e84.exe
-
Size
525KB
-
MD5
3acf8f746f2e1a1b5d7681cdfdb72e84
-
SHA1
37b2379fea3f9feb6092dbe84221cb84fac59776
-
SHA256
7df1efc18c6787cb6f9d6eb009c7f92f4d7d6fc5404f5b3569f39139acaa3475
-
SHA512
8f98d1e63a48c8df909df1b9147e828501ce453a3a939f1727b75447b42038351701c54234b3e18ab53dbd362acf054c3cc27eb7c78d2e15b8fbaae08554711e
-
SSDEEP
12288:ol3h6WdTvq+bsRYWuC/16hwTtN32XaqCOaBH0sZx9kW8Ih:23NNvqIs+dCtVtjH0sZsJIh
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 804 gidh4afou5xafneajserb.exe 2640 tnuabhzmgrva.exe 2288 ifskzqnwshxr.exe 2864 tnuabhzmgrva.exe -
Loads dropped DLL 5 IoCs
pid Process 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 2640 tnuabhzmgrva.exe 2640 tnuabhzmgrva.exe 804 gidh4afou5xafneajserb.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\vbipruzwcrbusx\natpwrbqbj2 tnuabhzmgrva.exe File created C:\Windows\vbipruzwcrbusx\natpwrbqbj2 3acf8f746f2e1a1b5d7681cdfdb72e84.exe File created C:\Windows\vbipruzwcrbusx\natpwrbqbj2 gidh4afou5xafneajserb.exe File created C:\Windows\vbipruzwcrbusx\natpwrbqbj2 tnuabhzmgrva.exe File created C:\Windows\vbipruzwcrbusx\natpwrbqbj2 ifskzqnwshxr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 tnuabhzmgrva.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe 2288 ifskzqnwshxr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2200 wrote to memory of 804 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 28 PID 2200 wrote to memory of 804 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 28 PID 2200 wrote to memory of 804 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 28 PID 2200 wrote to memory of 804 2200 3acf8f746f2e1a1b5d7681cdfdb72e84.exe 28 PID 2640 wrote to memory of 2288 2640 tnuabhzmgrva.exe 29 PID 2640 wrote to memory of 2288 2640 tnuabhzmgrva.exe 29 PID 2640 wrote to memory of 2288 2640 tnuabhzmgrva.exe 29 PID 2640 wrote to memory of 2288 2640 tnuabhzmgrva.exe 29 PID 804 wrote to memory of 2864 804 gidh4afou5xafneajserb.exe 31 PID 804 wrote to memory of 2864 804 gidh4afou5xafneajserb.exe 31 PID 804 wrote to memory of 2864 804 gidh4afou5xafneajserb.exe 31 PID 804 wrote to memory of 2864 804 gidh4afou5xafneajserb.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3acf8f746f2e1a1b5d7681cdfdb72e84.exe"C:\Users\Admin\AppData\Local\Temp\3acf8f746f2e1a1b5d7681cdfdb72e84.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\vbipruzwcrbusx\gidh4afou5xafneajserb.exe"C:\vbipruzwcrbusx\gidh4afou5xafneajserb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:804 -
C:\vbipruzwcrbusx\tnuabhzmgrva.exe"C:\vbipruzwcrbusx\tnuabhzmgrva.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864
-
-
-
C:\vbipruzwcrbusx\ifskzqnwshxr.exezne2n56yaktv "c:\vbipruzwcrbusx\tnuabhzmgrva.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
C:\vbipruzwcrbusx\tnuabhzmgrva.exeC:\vbipruzwcrbusx\tnuabhzmgrva.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6B
MD50d861899768ebd12044dde0246a47e5c
SHA1d092cb7fd7bc5c6cfa6e771447a253f3b77c6a0f
SHA2560471b6bdea3f341b512b8eeba189cfe531024569c75633eb9f4a4f0162fda817
SHA512536fef34e25b4e327a0e5871ccfafdbd1c406dd13c38a69d05494aff80f033491bf79960ff6e4ded527c4b9a0ec323d4eae12ca6a5ee86143343b6098300f2dc
-
Filesize
4B
MD5535ff5b1e866a8664253e5cce7aad1e5
SHA1069784fde0c2ff7004f0e4b7f77217bafd906ab1
SHA2563fd3a9b05e4de7a1d0cab8cacd5132dbe55a60d731f0c215c5e1f2460acb882f
SHA51262e0f3958905f04617fa777e45b5249abb8ecdd4786a90b3d9fa9f7c7775f0929cc5e63b4172f08dd9138772ac71a07e77adf13138f24a9c9c22f7bc4939ac2f
-
Filesize
525KB
MD53acf8f746f2e1a1b5d7681cdfdb72e84
SHA137b2379fea3f9feb6092dbe84221cb84fac59776
SHA2567df1efc18c6787cb6f9d6eb009c7f92f4d7d6fc5404f5b3569f39139acaa3475
SHA5128f98d1e63a48c8df909df1b9147e828501ce453a3a939f1727b75447b42038351701c54234b3e18ab53dbd362acf054c3cc27eb7c78d2e15b8fbaae08554711e