Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 20:39
Behavioral task
behavioral1
Sample
51900ec709509b977c90bc573fe2439c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
51900ec709509b977c90bc573fe2439c.exe
Resource
win10v2004-20231222-en
General
-
Target
51900ec709509b977c90bc573fe2439c.exe
-
Size
1.5MB
-
MD5
51900ec709509b977c90bc573fe2439c
-
SHA1
9e0868c179daec55f2c4626483bb88939406cb88
-
SHA256
042bb32ab612d4181e7ab7da4b4ebafd57168a3a38f6e6304d8ae61e9ecd05b4
-
SHA512
8e17c024b48bc68a8804e8676578891f4026bcd40a06cad3d30eb0cc94244d74f9dfaf4ef74d210a79f7fcf11d520d679bdb9a3c60f9700bf87adf2e9148b319
-
SSDEEP
24576:Cpwve10TS75+JqcqAxvoOCQU7z3chkfm5i5HjbW:Ch10j2NH3TYi5n
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2932 51900ec709509b977c90bc573fe2439c.exe -
Executes dropped EXE 1 IoCs
pid Process 2932 51900ec709509b977c90bc573fe2439c.exe -
Loads dropped DLL 1 IoCs
pid Process 2008 51900ec709509b977c90bc573fe2439c.exe -
resource yara_rule behavioral1/memory/2008-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000d000000012251-10.dat upx behavioral1/files/0x000d000000012251-12.dat upx behavioral1/files/0x000d000000012251-14.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2008 51900ec709509b977c90bc573fe2439c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2008 51900ec709509b977c90bc573fe2439c.exe 2932 51900ec709509b977c90bc573fe2439c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2932 2008 51900ec709509b977c90bc573fe2439c.exe 28 PID 2008 wrote to memory of 2932 2008 51900ec709509b977c90bc573fe2439c.exe 28 PID 2008 wrote to memory of 2932 2008 51900ec709509b977c90bc573fe2439c.exe 28 PID 2008 wrote to memory of 2932 2008 51900ec709509b977c90bc573fe2439c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\51900ec709509b977c90bc573fe2439c.exe"C:\Users\Admin\AppData\Local\Temp\51900ec709509b977c90bc573fe2439c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\51900ec709509b977c90bc573fe2439c.exeC:\Users\Admin\AppData\Local\Temp\51900ec709509b977c90bc573fe2439c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2932
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD50a734b412efea82b24e655c413e210f2
SHA11767a042b47ec42b255e446c72535560cd164a83
SHA256e7eb09ac11a45121c6fa3ddd0cb13ef738d9fa8a9da155f1007baf7fdbf154fc
SHA512c0f6f59e590414e082db9d2721fc6754ba333aceed91609880caeb2f4526d9ace8a1cc6a688b13290304ada24591d33f6c2b4c68df9313cbee4e7324e03003fc
-
Filesize
337KB
MD5d18584a7d5066e8c47221b29c5b4694a
SHA1ce7903ddb24dd1c09257fb2a44fbe01fafa66bb4
SHA2566c7e5b2433b0f5260bc32372b9ea0013b6579119910b758adf0aa73a875845d6
SHA512a81c7b56cd0e89c2942a409decb52860be59c2ce8ce1812121fc59b5ec6b4d699729344f24a5b445757e30796d92b51dcced2f6d1a477cc6a4920449596bb6c1
-
Filesize
1.5MB
MD584090811303ea52d72efbd1ffdeeef99
SHA14942e6abf259b63525015c48455cf370f8a86b5a
SHA256be36a650cf94a5de37e8635adac54070ab252e4a3e620587e52568e67f8f965a
SHA5125aed10d76e920d4101c611aea560b64f9b0cfdacf8436072357bdf3d6a76c96638294a0ef4181165414d17dd4f3bb585c83025605dd8bf14493cd17956b6f8d9