Analysis
-
max time kernel
137s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 11:20
Behavioral task
behavioral1
Sample
506b16214cf7a38fbe82cdd1f1c7c7e0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
506b16214cf7a38fbe82cdd1f1c7c7e0.exe
Resource
win10v2004-20231215-en
General
-
Target
506b16214cf7a38fbe82cdd1f1c7c7e0.exe
-
Size
2.9MB
-
MD5
506b16214cf7a38fbe82cdd1f1c7c7e0
-
SHA1
c1b64bc123509d4951f03218e20eb6c38cafb6e5
-
SHA256
2a57b02f88facc3eb02f32c7cdffbf7a39470a373adb5f36f9457b4fc3e60679
-
SHA512
443736d817206814f3ddccaa36f50808dd8a8f3318ee22ee9a6ce12d79fe5877aaf5cc44efc8635ebecf16413655dd82a96c2fcef3cac247c2f1e7ce8290d045
-
SSDEEP
49152:B6yQufKQPfhezRFkZ8sFe1N74NH5HUyNRcUsCVOzetdZJ:Bd/KGfPZNq4HBUCczzM3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3896 506b16214cf7a38fbe82cdd1f1c7c7e0.exe -
Executes dropped EXE 1 IoCs
pid Process 3896 506b16214cf7a38fbe82cdd1f1c7c7e0.exe -
resource yara_rule behavioral2/memory/1800-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000800000001e0ce-11.dat upx behavioral2/memory/3896-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1800 506b16214cf7a38fbe82cdd1f1c7c7e0.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1800 506b16214cf7a38fbe82cdd1f1c7c7e0.exe 3896 506b16214cf7a38fbe82cdd1f1c7c7e0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1800 wrote to memory of 3896 1800 506b16214cf7a38fbe82cdd1f1c7c7e0.exe 91 PID 1800 wrote to memory of 3896 1800 506b16214cf7a38fbe82cdd1f1c7c7e0.exe 91 PID 1800 wrote to memory of 3896 1800 506b16214cf7a38fbe82cdd1f1c7c7e0.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\506b16214cf7a38fbe82cdd1f1c7c7e0.exe"C:\Users\Admin\AppData\Local\Temp\506b16214cf7a38fbe82cdd1f1c7c7e0.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\506b16214cf7a38fbe82cdd1f1c7c7e0.exeC:\Users\Admin\AppData\Local\Temp\506b16214cf7a38fbe82cdd1f1c7c7e0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3896
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD53a7d814e1461b2206a509a81639d9cfa
SHA1944bf6ac16d0a74bf0a71ddca3cb256fc30f5e3a
SHA256473b16e3bfd232b1cc8f5dc231c7826e59478f6c2e678fcfe1a96ab571b31738
SHA5126728ba76976731e4f7858d324c5933b4309a634027679446f8f9268b4dbde692fe7cc5843da710d3f9bf08d938f206267c7009a8fdfa2ac2c88ad381e0822036