Analysis
-
max time kernel
174s -
max time network
228s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 03:07
Behavioral task
behavioral1
Sample
4f6a5962c5fd84abb25a96f85797ef12.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4f6a5962c5fd84abb25a96f85797ef12.exe
Resource
win10v2004-20231215-en
General
-
Target
4f6a5962c5fd84abb25a96f85797ef12.exe
-
Size
2.7MB
-
MD5
4f6a5962c5fd84abb25a96f85797ef12
-
SHA1
b30a1b4f11fcef12bc2925eec0bd700153118ab8
-
SHA256
c3a6627cf7c7fc06d012e622a30027834bb8c2ffc57356a934b70df745560b66
-
SHA512
dac7e8e899a05620a154501161629e1f5fc241080b4d133e6f0ecfae5f4e69c674484f8a02962f9c5f0c8bfdfbf6f659e8dde460ad5bf6ace8d2af402f9e4de8
-
SSDEEP
49152:xfmVdy3eAmnlrJqv3iYSHvv648r9fsHAJImSLMW:x6k3eA8bqv3xSPv64i956mSLMW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 860 4f6a5962c5fd84abb25a96f85797ef12.exe -
Executes dropped EXE 1 IoCs
pid Process 860 4f6a5962c5fd84abb25a96f85797ef12.exe -
resource yara_rule behavioral2/memory/3716-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x000a00000002312d-13.dat upx behavioral2/memory/860-15-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3716 4f6a5962c5fd84abb25a96f85797ef12.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3716 4f6a5962c5fd84abb25a96f85797ef12.exe 860 4f6a5962c5fd84abb25a96f85797ef12.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3716 wrote to memory of 860 3716 4f6a5962c5fd84abb25a96f85797ef12.exe 93 PID 3716 wrote to memory of 860 3716 4f6a5962c5fd84abb25a96f85797ef12.exe 93 PID 3716 wrote to memory of 860 3716 4f6a5962c5fd84abb25a96f85797ef12.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6a5962c5fd84abb25a96f85797ef12.exe"C:\Users\Admin\AppData\Local\Temp\4f6a5962c5fd84abb25a96f85797ef12.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\4f6a5962c5fd84abb25a96f85797ef12.exeC:\Users\Admin\AppData\Local\Temp\4f6a5962c5fd84abb25a96f85797ef12.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:860
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD533a7a2a0bf32445110c66fe4701fe4a1
SHA17074c59a9b90bf315cd00cfd42c60ebc10ba665c
SHA256768a1f20092689ae90c8ba8efc01d6724bcfe72606a146abc42cf6983926a0c3
SHA51200230dd0e47d1a2ebeb188f4d252044c1d9ed7b1bf6325fa70ea40ba74db3bffd243953a468c9d857dcea4b8489df3c3b3d1164eb195a4764f31907f75fc6c69