Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 20:06
Behavioral task
behavioral1
Sample
41cafb2243de36687d783137f3324f64.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
41cafb2243de36687d783137f3324f64.exe
Resource
win10v2004-20231215-en
General
-
Target
41cafb2243de36687d783137f3324f64.exe
-
Size
1.5MB
-
MD5
41cafb2243de36687d783137f3324f64
-
SHA1
f298ae4cdaffa491182d1f2bd7cf43666da2ee52
-
SHA256
e44f5026c931cd60087d943f52a6f2f88a6a0a224dad2ecfffdbdd017b4c4489
-
SHA512
7d379b86d3820296528699b51db473dbdf0388e92f1412482255a3c619affd1d8eca770cee6fb52a4f545ee4022b6d0d2c5bc3400f118cacfcba768becc7188a
-
SSDEEP
24576:oS0YdMLVvQL87v5KSreuhfg7ONFfuUd12HUL/A+1MIXyHKheY2cW:MYSxQL87B7ThC2zd1cUM4MIlx
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2348 41cafb2243de36687d783137f3324f64.exe -
Executes dropped EXE 1 IoCs
pid Process 2348 41cafb2243de36687d783137f3324f64.exe -
Loads dropped DLL 1 IoCs
pid Process 1636 41cafb2243de36687d783137f3324f64.exe -
resource yara_rule behavioral1/memory/1636-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000d00000001272c-10.dat upx behavioral1/memory/1636-14-0x0000000003510000-0x00000000039FF000-memory.dmp upx behavioral1/files/0x000d00000001272c-13.dat upx behavioral1/memory/2348-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1636 41cafb2243de36687d783137f3324f64.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1636 41cafb2243de36687d783137f3324f64.exe 2348 41cafb2243de36687d783137f3324f64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2348 1636 41cafb2243de36687d783137f3324f64.exe 28 PID 1636 wrote to memory of 2348 1636 41cafb2243de36687d783137f3324f64.exe 28 PID 1636 wrote to memory of 2348 1636 41cafb2243de36687d783137f3324f64.exe 28 PID 1636 wrote to memory of 2348 1636 41cafb2243de36687d783137f3324f64.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\41cafb2243de36687d783137f3324f64.exe"C:\Users\Admin\AppData\Local\Temp\41cafb2243de36687d783137f3324f64.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\41cafb2243de36687d783137f3324f64.exeC:\Users\Admin\AppData\Local\Temp\41cafb2243de36687d783137f3324f64.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2348
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bae6a4a7f56fca86301e5a3411bc4bea
SHA1bcf15e56caa0db890fb1866235705926b4645570
SHA2565fafd55d0ec43c35f1118015a0d018b7b3cfc387eed03f7a3ebd13abc5b9ccd6
SHA51242d0fe33502b025d605bc3ccc9a2e71afa75d12d78078010f84d5765f0898fa405f38ac95a418ca9d2054ea8ab8b85dd9d0d943edd993db90188c68ff2229ea2
-
Filesize
23KB
MD51b93cd96b20ef5a93a59ee4a117558bc
SHA18a3cecd9df01dc7644fe708f065c5404557d0d65
SHA256e7709868bf6a9d06a73ab710ceac393d86cba3736bd3473f455bab08b86ba465
SHA51274d6d651d236875df24b911f123dc662327a3d1b1b65f5222d08050bbf83550c035f3a97b39608f358d6bda44196bf9453f49e2b7aa2098dc3d9828afc6f61a0