Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
74fda5d3ad7f7daef1234472e16eb0ce.exe
Resource
win7-20231215-en
General
-
Target
74fda5d3ad7f7daef1234472e16eb0ce.exe
-
Size
56KB
-
MD5
74fda5d3ad7f7daef1234472e16eb0ce
-
SHA1
29a0c05df54c780cb639ad4e53ad7ceaf4844ad1
-
SHA256
b593fc0998d4370219b198230d3118d40ddc85c33f8cea5def5f9508b0b2759c
-
SHA512
d9b956eef93e743c413e9df0964a2a97f2f22c6c61b4759222348770edaffa4c462f0aebfc72318edafa6ffd168940fa514c1b08923a031c897142c0815818e2
-
SSDEEP
768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOO8:71Tzy48untU8fOMEI3jyYfPiuO8
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
74fda5d3ad7f7daef1234472e16eb0ce.execmd.exeiexpress.exedescription pid process target process PID 2924 wrote to memory of 2328 2924 74fda5d3ad7f7daef1234472e16eb0ce.exe cmd.exe PID 2924 wrote to memory of 2328 2924 74fda5d3ad7f7daef1234472e16eb0ce.exe cmd.exe PID 2924 wrote to memory of 2328 2924 74fda5d3ad7f7daef1234472e16eb0ce.exe cmd.exe PID 2328 wrote to memory of 4476 2328 cmd.exe iexpress.exe PID 2328 wrote to memory of 4476 2328 cmd.exe iexpress.exe PID 2328 wrote to memory of 4476 2328 cmd.exe iexpress.exe PID 4476 wrote to memory of 396 4476 iexpress.exe makecab.exe PID 4476 wrote to memory of 396 4476 iexpress.exe makecab.exe PID 4476 wrote to memory of 396 4476 iexpress.exe makecab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe"C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B15.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\iexpress.exeiexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed3⤵
- Suspicious use of WriteProcessMemory
PID:4476
-
C:\Windows\SysWOW64\makecab.exeC:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"1⤵PID:396
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3B15.tmp\1.batFilesize
1KB
MD502dba5f37067292355c6d01a57d4ef48
SHA17c67ab3f99fbf7a53018dd295d2968c525db83d9
SHA2568b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242
SHA51212201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a
-
C:\Users\Admin\AppData\Local\Temp\popup.sedFilesize
57KB
MD592ebb22e9292b7e349906f9f52793572
SHA188c6c3af5dfe635bee512c0c7449d3fe8cfaac7a
SHA256a7327daaf38f890de476a76eb398ab92a87df2d2ff0c4be8c1e74d14ebfc0670
SHA512883d6514dafb93cf7d4982d947683f87056854368cd248a54be6806c4de5e588e533785efe34a0cacfd35837512fbd75b134e7fc1808131c7f675a5b5ed66a30
-
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDFFilesize
724B
MD5c3ca008abd6997c4b036a7e8be75cb2c
SHA105f7a3527bb04c691b08f040f562582035398829
SHA25629ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3
SHA512bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083