Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 03:42
Behavioral task
behavioral1
Sample
5a2f31e3a773d48036f8679580fb49f3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5a2f31e3a773d48036f8679580fb49f3.exe
Resource
win10v2004-20231215-en
General
-
Target
5a2f31e3a773d48036f8679580fb49f3.exe
-
Size
2.9MB
-
MD5
5a2f31e3a773d48036f8679580fb49f3
-
SHA1
d73bee7c465c480eb623ab439dfa05d5808f4e55
-
SHA256
2f0049d5f00318c3c1621fc94fc6bd2048d5a0b298bb5917afb61e644f40c473
-
SHA512
5db1da39b95553e3589275867dcdd44cefb9a7284019643a45a097d64f38cbb4da85a7a59b4fde5ef414374fe75b02fc618b49ff01c21b968064e14be23ef7ad
-
SSDEEP
49152:QcEuqR8kPm+ZNN5wgd7Vu+0OVCsKGi9s5K3P4M338dB2IBlGuuDVUsdxxjeQZwxs:QckR8ke+ZN/wge+0OCT/gg3gnl/IVUsn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2520 5a2f31e3a773d48036f8679580fb49f3.exe -
Executes dropped EXE 1 IoCs
pid Process 2520 5a2f31e3a773d48036f8679580fb49f3.exe -
Loads dropped DLL 1 IoCs
pid Process 2672 5a2f31e3a773d48036f8679580fb49f3.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000d000000012246-12.dat upx behavioral1/files/0x000d000000012246-13.dat upx behavioral1/files/0x000d000000012246-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2672 5a2f31e3a773d48036f8679580fb49f3.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2672 5a2f31e3a773d48036f8679580fb49f3.exe 2520 5a2f31e3a773d48036f8679580fb49f3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2520 2672 5a2f31e3a773d48036f8679580fb49f3.exe 23 PID 2672 wrote to memory of 2520 2672 5a2f31e3a773d48036f8679580fb49f3.exe 23 PID 2672 wrote to memory of 2520 2672 5a2f31e3a773d48036f8679580fb49f3.exe 23 PID 2672 wrote to memory of 2520 2672 5a2f31e3a773d48036f8679580fb49f3.exe 23
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a2f31e3a773d48036f8679580fb49f3.exe"C:\Users\Admin\AppData\Local\Temp\5a2f31e3a773d48036f8679580fb49f3.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\5a2f31e3a773d48036f8679580fb49f3.exeC:\Users\Admin\AppData\Local\Temp\5a2f31e3a773d48036f8679580fb49f3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2520
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5e07e9ea7694ceee851a75ad85d29fd41
SHA12decf4a06ea161a0a39e3f943c8658ad118cc680
SHA256ffeecc04bb3d35986d2acd7bf7572ac320b4ce33b248f3a98bc0d7444ee9d9cc
SHA512367f5e0e42a6e5b3e2241e26a95b69304f9d83ac0ea71e7544f6bf5c5d02a81a7001b0c7c4bddfafe2103fb0a3c28637e9b5469bce9e188202118bf9427e94c9
-
Filesize
149KB
MD541898d8a60cdd58a7598caac5e417326
SHA15508bcc5271923299bbfc5ce25106efc5ea3d521
SHA256a979a54d854e7e452708f02cbcb3003caa97e9fd5ab6c26d891b7b8c47ca7694
SHA512c8f0fb3ae097ab2080cd9e6cf7340d01eea702dec5a946d33b9107de9a149b0e557dda632aa1fc8d560caf29c8728a197349b88c7bcdaf6b6c33f31288a75353
-
Filesize
264KB
MD56a66700f0a9970f51dee5fca41bf237a
SHA1b5c0d0d409cdcd430cab0a3316b4bf61c82288ff
SHA25673b48cda1c91dbac8b75b3f008366dd9ff0ffdd0abe4fd160a484352e3535fd4
SHA5123e35ceab876d96593d8094cd305944c09c47eda751ec209e81c541ca4f2e22528b02068fd97d47c3feb4186462f0fc3400ea330bc20ec5741c0f529b2159c434