d5bf1d1238bcd9141ead1a17ad06825efe9cf24fdf7ee7c2e35e90ce45b6d065

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af0345135b9c15bbaa83bbb899f1aa6.exe
Size

2.9MB
MD5

4af0345135b9c15bbaa83bbb899f1aa6
SHA1

16979365303a22fa6f57e17f6e5d201a07d011e7
SHA256

d5bf1d1238bcd9141ead1a17ad06825efe9cf24fdf7ee7c2e35e90ce45b6d065
SHA512

f68bdb408f72e77d2836faddea0368cae3fb8d461eb66a6200243d5ceb90cd65d3e8bc84072286b3433985cec0539cc2c5713b1a31697de5187a7f2573c3a4b5
SSDEEP

49152:C9afAFQ2AgWHek3joDBtJP0N74NH5HUyNRcUsCVOzetdZJ:CB+2uHeEolti4HBUCczzM3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1684	4af0345135b9c15bbaa83bbb899f1aa6.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	4af0345135b9c15bbaa83bbb899f1aa6.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	4af0345135b9c15bbaa83bbb899f1aa6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x0009000000012203-13.dat	upx
behavioral1/files/0x0009000000012203-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2548	4af0345135b9c15bbaa83bbb899f1aa6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2548	4af0345135b9c15bbaa83bbb899f1aa6.exe
1684	4af0345135b9c15bbaa83bbb899f1aa6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1684	2548	4af0345135b9c15bbaa83bbb899f1aa6.exe	17
PID 2548 wrote to memory of 1684	2548	4af0345135b9c15bbaa83bbb899f1aa6.exe	17
PID 2548 wrote to memory of 1684	2548	4af0345135b9c15bbaa83bbb899f1aa6.exe	17
PID 2548 wrote to memory of 1684	2548	4af0345135b9c15bbaa83bbb899f1aa6.exe	17

C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
"C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
  C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe

Filesize
44KB

MD5
d2bbb9127a37652ea98d6b0411e01050

SHA1
9a3038f602aae179eae1be02035445e22819ef11

SHA256
89362047096f1f5d8cbca1bc9137a9139925679e6ec04bca8b315205b7210c99

SHA512
c8c9054da499adb61287b14d470f931e36c74dc0f432b8acecb3775df275503f8cc77d8aa2be5d0796e9d8cd95dfb7c557dca62e286c55f5ba9839e9b2654b6e

Download Submit
\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe

Filesize
49KB

MD5
66ae0e47bad684a5f477d2f5a0006885

SHA1
55f8979fbfb8cfe0cdbf3d49f27473a2a3704d4b

SHA256
95cccfc962f08199ddb9cc08efed8635d2b03c59305cf510808010f25aaaf2fb

SHA512
e4c38133aeda7da33851039367893c3c70de234c084260822e7a6f2b62c7111f951ec46ef614960479a7feb8a7fbd7d73c1dccfde7d7bbe7e6082ceffc8138b5

Download Submit
memory/1684-22-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1684-24-0x0000000003410000-0x000000000363A000-memory.dmp

Filesize
2.2MB

Download
memory/1684-17-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1684-16-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1684-15-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/1684-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2548-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2548-2-0x00000000002B0000-0x00000000003E3000-memory.dmp

Filesize
1.2MB

Download
memory/2548-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2548-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download