Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:10
Static task
static1
Behavioral task
behavioral1
Sample
74f018d8f7f7e46e314b8d4ab0c128c1.exe
Resource
win7-20231129-en
General
-
Target
74f018d8f7f7e46e314b8d4ab0c128c1.exe
-
Size
385KB
-
MD5
74f018d8f7f7e46e314b8d4ab0c128c1
-
SHA1
4fe849a30b7af68c3323dd60c20e81b9c948341f
-
SHA256
dab14529caeac755a18561ee147e05db721a0cd6a37d8fe7bdd18bc6141db86f
-
SHA512
a6d32dfbeb32dbb48cb930d1d65a0f0c7b32ce1b2a6b2bcf2bd731421edccfa5df176e09384f7aa914d370620c54c60687c86c01b2f6c79cef9b42fbed6cc5c1
-
SSDEEP
6144:79XgntqyzGb9LHRwWMJolZhn+b0gr02M8sFzSKrKkrCDPLDl1B:7pgntqaGbcWrm2xtrrCDPnB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
74f018d8f7f7e46e314b8d4ab0c128c1.exepid process 5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe -
Executes dropped EXE 1 IoCs
Processes:
74f018d8f7f7e46e314b8d4ab0c128c1.exepid process 5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
74f018d8f7f7e46e314b8d4ab0c128c1.exepid process 796 74f018d8f7f7e46e314b8d4ab0c128c1.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
74f018d8f7f7e46e314b8d4ab0c128c1.exe74f018d8f7f7e46e314b8d4ab0c128c1.exepid process 796 74f018d8f7f7e46e314b8d4ab0c128c1.exe 5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74f018d8f7f7e46e314b8d4ab0c128c1.exedescription pid process target process PID 796 wrote to memory of 5092 796 74f018d8f7f7e46e314b8d4ab0c128c1.exe 74f018d8f7f7e46e314b8d4ab0c128c1.exe PID 796 wrote to memory of 5092 796 74f018d8f7f7e46e314b8d4ab0c128c1.exe 74f018d8f7f7e46e314b8d4ab0c128c1.exe PID 796 wrote to memory of 5092 796 74f018d8f7f7e46e314b8d4ab0c128c1.exe 74f018d8f7f7e46e314b8d4ab0c128c1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exe"C:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exeC:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exeFilesize
385KB
MD5f85f434679aa8da1211a19a937dcbf20
SHA16e92384816342992f5a626b1241d459bd30a4780
SHA2567b6743075f487f14759ddc9df7c8e75dee7d28e7b50ee142c2297d221614c005
SHA512402e2188cde7031c2b69bdfad0c3a0432e97ff9044fff63e6fb941d88b4609e1e652e313d35be0199acebd74ae03e6fd18b0985e6774105222495c5c29c4693c
-
memory/796-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/796-1-0x0000000001470000-0x00000000014D6000-memory.dmpFilesize
408KB
-
memory/796-2-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/796-12-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/5092-13-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/5092-14-0x00000000014D0000-0x0000000001536000-memory.dmpFilesize
408KB
-
memory/5092-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5092-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmpFilesize
380KB
-
memory/5092-32-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/5092-34-0x000000000D660000-0x000000000D69C000-memory.dmpFilesize
240KB
-
memory/5092-38-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB