Analysis
-
max time kernel
88s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
74ee13f7ec4865bf8b36e9a27bce7228.exe
Resource
win7-20231215-en
General
-
Target
74ee13f7ec4865bf8b36e9a27bce7228.exe
-
Size
385KB
-
MD5
74ee13f7ec4865bf8b36e9a27bce7228
-
SHA1
4792ddfb9f9f74b5d352e4d609af096d2fd02ec8
-
SHA256
14acefa72d83dcd433357ddd2457d3d9b27aaaca78553dfe46aeb0da2b29e336
-
SHA512
d35ec830bf7cef2bc346556d7f7f89b5694d2722951bda94b715355642070d986100589c12e16800d8c0d9c02eb0d3a60a8bdca787d6d913246471158c221d1c
-
SSDEEP
12288:jde79813dOjMP1xPujLWScJQ+ZXKU3V5p0aoYB:j951V7SwQ+J3TwYB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
74ee13f7ec4865bf8b36e9a27bce7228.exepid process 2428 74ee13f7ec4865bf8b36e9a27bce7228.exe -
Executes dropped EXE 1 IoCs
Processes:
74ee13f7ec4865bf8b36e9a27bce7228.exepid process 2428 74ee13f7ec4865bf8b36e9a27bce7228.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
74ee13f7ec4865bf8b36e9a27bce7228.exepid process 784 74ee13f7ec4865bf8b36e9a27bce7228.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
74ee13f7ec4865bf8b36e9a27bce7228.exe74ee13f7ec4865bf8b36e9a27bce7228.exepid process 784 74ee13f7ec4865bf8b36e9a27bce7228.exe 2428 74ee13f7ec4865bf8b36e9a27bce7228.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74ee13f7ec4865bf8b36e9a27bce7228.exedescription pid process target process PID 784 wrote to memory of 2428 784 74ee13f7ec4865bf8b36e9a27bce7228.exe 74ee13f7ec4865bf8b36e9a27bce7228.exe PID 784 wrote to memory of 2428 784 74ee13f7ec4865bf8b36e9a27bce7228.exe 74ee13f7ec4865bf8b36e9a27bce7228.exe PID 784 wrote to memory of 2428 784 74ee13f7ec4865bf8b36e9a27bce7228.exe 74ee13f7ec4865bf8b36e9a27bce7228.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ee13f7ec4865bf8b36e9a27bce7228.exe"C:\Users\Admin\AppData\Local\Temp\74ee13f7ec4865bf8b36e9a27bce7228.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\74ee13f7ec4865bf8b36e9a27bce7228.exeC:\Users\Admin\AppData\Local\Temp\74ee13f7ec4865bf8b36e9a27bce7228.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74ee13f7ec4865bf8b36e9a27bce7228.exeFilesize
385KB
MD5e391b35a5a82a788abe4b94d8ff8b2c9
SHA1ccb8f9b25ecd9c03df1c6745dec146be8cbec64a
SHA2563c43c8b40242b7a4c6f61c0f3fbddb287978ee32af71631f526474b507c03199
SHA512adc145378a69c4e12225a92ad8c813f9d5b31bcf5f7d73d1023de4e65ec339a6e8a915cb9f5a60c2d5fd1823363d6dcdbed97965fa0876cc6b51a46b9f7d086c
-
memory/784-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/784-1-0x00000000014D0000-0x0000000001536000-memory.dmpFilesize
408KB
-
memory/784-2-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/784-11-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/2428-16-0x0000000001600000-0x0000000001666000-memory.dmpFilesize
408KB
-
memory/2428-14-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2428-20-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2428-22-0x0000000004F00000-0x0000000004F5F000-memory.dmpFilesize
380KB
-
memory/2428-32-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2428-37-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2428-38-0x000000000C620000-0x000000000C65C000-memory.dmpFilesize
240KB