Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
74f34c71cc649f3761bb37ebc073d1f8.exe
Resource
win7-20231215-en
General
-
Target
74f34c71cc649f3761bb37ebc073d1f8.exe
-
Size
385KB
-
MD5
74f34c71cc649f3761bb37ebc073d1f8
-
SHA1
67e7dcbc87279b8f9b0b471744d7d5c89564c997
-
SHA256
405fe57ac4c21844b55ef0b26f87bf0ac40ec317051134ad47c32793013a06b4
-
SHA512
e4c968abf8e5dffbc2ea89680cbc44f485b384ed4f40a6b601b458710612c0551faa1e771fc40f6455f3db2dd994375d22d42de024f189619fc47da2306eed2e
-
SSDEEP
6144:fD7w1OQ+95OHOIR0ZYXaO4GSvOZdWmvpLcZSPaYpuMlHPOp6UtUlwbB:fD719eKO4N6dWmBLcZfYjgpElUB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
74f34c71cc649f3761bb37ebc073d1f8.exepid process 3100 74f34c71cc649f3761bb37ebc073d1f8.exe -
Executes dropped EXE 1 IoCs
Processes:
74f34c71cc649f3761bb37ebc073d1f8.exepid process 3100 74f34c71cc649f3761bb37ebc073d1f8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
74f34c71cc649f3761bb37ebc073d1f8.exepid process 1080 74f34c71cc649f3761bb37ebc073d1f8.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
74f34c71cc649f3761bb37ebc073d1f8.exe74f34c71cc649f3761bb37ebc073d1f8.exepid process 1080 74f34c71cc649f3761bb37ebc073d1f8.exe 3100 74f34c71cc649f3761bb37ebc073d1f8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74f34c71cc649f3761bb37ebc073d1f8.exedescription pid process target process PID 1080 wrote to memory of 3100 1080 74f34c71cc649f3761bb37ebc073d1f8.exe 74f34c71cc649f3761bb37ebc073d1f8.exe PID 1080 wrote to memory of 3100 1080 74f34c71cc649f3761bb37ebc073d1f8.exe 74f34c71cc649f3761bb37ebc073d1f8.exe PID 1080 wrote to memory of 3100 1080 74f34c71cc649f3761bb37ebc073d1f8.exe 74f34c71cc649f3761bb37ebc073d1f8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f34c71cc649f3761bb37ebc073d1f8.exe"C:\Users\Admin\AppData\Local\Temp\74f34c71cc649f3761bb37ebc073d1f8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\74f34c71cc649f3761bb37ebc073d1f8.exeC:\Users\Admin\AppData\Local\Temp\74f34c71cc649f3761bb37ebc073d1f8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74f34c71cc649f3761bb37ebc073d1f8.exeFilesize
385KB
MD52f8a06e26113927811c691a90f8c6b13
SHA1bdecf93090c1d008723202d2f1e1e3a6cf3e745e
SHA2565a0982ede08e987886e17893eefeed306e681cffc575177b8fa868bffdcb4662
SHA512ffaf72fd6a3fd43063919fda6f65feef1d9a42ebd4f57ef034ec43c081fd8c8c5001e1848fd7c89e21d90a647c2d02e13959196c397089ce111378de3f873c42
-
memory/1080-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1080-1-0x0000000001620000-0x0000000001686000-memory.dmpFilesize
408KB
-
memory/1080-2-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1080-11-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/3100-13-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3100-14-0x00000000014D0000-0x0000000001536000-memory.dmpFilesize
408KB
-
memory/3100-21-0x0000000004F20000-0x0000000004F7F000-memory.dmpFilesize
380KB
-
memory/3100-20-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3100-32-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3100-34-0x000000000C620000-0x000000000C65C000-memory.dmpFilesize
240KB
-
memory/3100-38-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB