Analysis
-
max time kernel
86s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
74f0b768aea7d2b81740278b3e2a1ce3.exe
Resource
win7-20231215-en
General
-
Target
74f0b768aea7d2b81740278b3e2a1ce3.exe
-
Size
385KB
-
MD5
74f0b768aea7d2b81740278b3e2a1ce3
-
SHA1
7356217e0d2cc1ef1b15be547a5bd4b342816575
-
SHA256
42c58b4a4061e2080418e840c553e3f9b8a6c17af3538c25fa9578a08cfbd223
-
SHA512
42ea668cef5ee13b2eaa961c6742268940eb2ffd2b5251e5611ea5a43e6e4be48632bffbe843c3fbab8b0bff28d0e7fed9692d068132bb191c13803554522082
-
SSDEEP
12288:W/CqridTWOBw16ABQWquUrVgJSZ22qNu5BIQBB:yrohwxBQKUBgJSI26uY2B
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
74f0b768aea7d2b81740278b3e2a1ce3.exepid process 4964 74f0b768aea7d2b81740278b3e2a1ce3.exe -
Executes dropped EXE 1 IoCs
Processes:
74f0b768aea7d2b81740278b3e2a1ce3.exepid process 4964 74f0b768aea7d2b81740278b3e2a1ce3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
74f0b768aea7d2b81740278b3e2a1ce3.exepid process 1704 74f0b768aea7d2b81740278b3e2a1ce3.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
74f0b768aea7d2b81740278b3e2a1ce3.exe74f0b768aea7d2b81740278b3e2a1ce3.exepid process 1704 74f0b768aea7d2b81740278b3e2a1ce3.exe 4964 74f0b768aea7d2b81740278b3e2a1ce3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74f0b768aea7d2b81740278b3e2a1ce3.exedescription pid process target process PID 1704 wrote to memory of 4964 1704 74f0b768aea7d2b81740278b3e2a1ce3.exe 74f0b768aea7d2b81740278b3e2a1ce3.exe PID 1704 wrote to memory of 4964 1704 74f0b768aea7d2b81740278b3e2a1ce3.exe 74f0b768aea7d2b81740278b3e2a1ce3.exe PID 1704 wrote to memory of 4964 1704 74f0b768aea7d2b81740278b3e2a1ce3.exe 74f0b768aea7d2b81740278b3e2a1ce3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f0b768aea7d2b81740278b3e2a1ce3.exe"C:\Users\Admin\AppData\Local\Temp\74f0b768aea7d2b81740278b3e2a1ce3.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\74f0b768aea7d2b81740278b3e2a1ce3.exeC:\Users\Admin\AppData\Local\Temp\74f0b768aea7d2b81740278b3e2a1ce3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74f0b768aea7d2b81740278b3e2a1ce3.exeFilesize
88KB
MD56dd29732bb77fc4508aa59acbe4f40ae
SHA13f41618a506b715aad201d1c63445b0d8893d9ef
SHA256dbcf3b08d151da7df2073be6d156255a1bed2f1045608faa8b99e80e0885524f
SHA5122cf7a769fb98ad68c67dd92f7d42babacd940c1e8938ad6d5157afcb778817290b4b005ea2dc49ee113649421a3124946fe1aa2549f1e55a117c98f7f2fc0d0d
-
memory/1704-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1704-2-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1704-1-0x0000000000160000-0x00000000001C6000-memory.dmpFilesize
408KB
-
memory/1704-12-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4964-14-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4964-16-0x0000000000170000-0x00000000001D6000-memory.dmpFilesize
408KB
-
memory/4964-20-0x0000000004F00000-0x0000000004F5F000-memory.dmpFilesize
380KB
-
memory/4964-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4964-32-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4964-34-0x000000000C620000-0x000000000C65C000-memory.dmpFilesize
240KB
-
memory/4964-38-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB