Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 02:14
Behavioral task
behavioral1
Sample
49d907527ee9ac241ad73c09cb5527f3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
49d907527ee9ac241ad73c09cb5527f3.exe
Resource
win10v2004-20231215-en
General
-
Target
49d907527ee9ac241ad73c09cb5527f3.exe
-
Size
2.7MB
-
MD5
49d907527ee9ac241ad73c09cb5527f3
-
SHA1
8548f550b50c9a038001b78eb1ee56f0b474f5c1
-
SHA256
982b343304af76415b9c290f5e72a78230119b32df10c65b44eec0df1b8feae6
-
SHA512
b500e79d2d2e159314abeaef06915a80ba6883abc1168c9e5ec3ebd01e3532b7c1e0a9898b46df377c9d999ff7d16f9ac59d7ce22e651a47aee140c9c944f54d
-
SSDEEP
49152:fKn9qiEy9tyYL+CW7g6pR9ktBc1+Q4YdxSChG38bDUggR9t:izcC9KHktBcwQDM2YIDULHt
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4700 49d907527ee9ac241ad73c09cb5527f3.exe -
Executes dropped EXE 1 IoCs
pid Process 4700 49d907527ee9ac241ad73c09cb5527f3.exe -
resource yara_rule behavioral2/memory/4596-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral2/memory/4700-13-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral2/files/0x0007000000023203-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4596 49d907527ee9ac241ad73c09cb5527f3.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4596 49d907527ee9ac241ad73c09cb5527f3.exe 4700 49d907527ee9ac241ad73c09cb5527f3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4700 4596 49d907527ee9ac241ad73c09cb5527f3.exe 27 PID 4596 wrote to memory of 4700 4596 49d907527ee9ac241ad73c09cb5527f3.exe 27 PID 4596 wrote to memory of 4700 4596 49d907527ee9ac241ad73c09cb5527f3.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\49d907527ee9ac241ad73c09cb5527f3.exe"C:\Users\Admin\AppData\Local\Temp\49d907527ee9ac241ad73c09cb5527f3.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\49d907527ee9ac241ad73c09cb5527f3.exeC:\Users\Admin\AppData\Local\Temp\49d907527ee9ac241ad73c09cb5527f3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4700
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD51abf015fd0fb5da239af09c5991f7132
SHA170d97eb4a4ca064ebf40d83f34bea5757a6aa418
SHA2560d922ac4c79bc8a9a81d224e8ca210f78355b17fb367e9968abbfe3ef72e8aed
SHA5129c91aa55c56ce6f07c896eaf3333fa4e394554a0818e1b5c2a6a0651f7b8287d6fdfe3e01686a7887bdfa6bd83b2b7e6fafc790edab320846065b07ac88cb2ea