Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
7509f942c933356566bae27d72a0690c.exe
Resource
win7-20231215-en
General
-
Target
7509f942c933356566bae27d72a0690c.exe
-
Size
771KB
-
MD5
7509f942c933356566bae27d72a0690c
-
SHA1
c656d983e40f89a63aa75ff79fe8460f6860bfaa
-
SHA256
97e8112850166997a5e5e924206b4f52c382530cea890b1df505af04fe7b408d
-
SHA512
b565e2c096e962ae8d9e7275a295a6ae34d5c51dc021e21f9616b874c9db22ec7a9f583c00d05dc2df59bccde941cc8e057e23ef81fdcb66ae9639893cb70fb5
-
SSDEEP
12288:O8QiJ9U5CbCbns51ZMMhX6KfMa9z9PzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:OLiJGbnEJhXXz9tvZWqEIz6qrfiTMB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
7509f942c933356566bae27d72a0690c.exepid process 1288 7509f942c933356566bae27d72a0690c.exe -
Executes dropped EXE 1 IoCs
Processes:
7509f942c933356566bae27d72a0690c.exepid process 1288 7509f942c933356566bae27d72a0690c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7509f942c933356566bae27d72a0690c.exepid process 3572 7509f942c933356566bae27d72a0690c.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
7509f942c933356566bae27d72a0690c.exe7509f942c933356566bae27d72a0690c.exepid process 3572 7509f942c933356566bae27d72a0690c.exe 1288 7509f942c933356566bae27d72a0690c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7509f942c933356566bae27d72a0690c.exedescription pid process target process PID 3572 wrote to memory of 1288 3572 7509f942c933356566bae27d72a0690c.exe 7509f942c933356566bae27d72a0690c.exe PID 3572 wrote to memory of 1288 3572 7509f942c933356566bae27d72a0690c.exe 7509f942c933356566bae27d72a0690c.exe PID 3572 wrote to memory of 1288 3572 7509f942c933356566bae27d72a0690c.exe 7509f942c933356566bae27d72a0690c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7509f942c933356566bae27d72a0690c.exe"C:\Users\Admin\AppData\Local\Temp\7509f942c933356566bae27d72a0690c.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\7509f942c933356566bae27d72a0690c.exeC:\Users\Admin\AppData\Local\Temp\7509f942c933356566bae27d72a0690c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7509f942c933356566bae27d72a0690c.exeFilesize
599KB
MD5518a4a46519b07394eb1b5e26d2fbd71
SHA147c96d1f3c779d2604135e76f6c8912cfd0c06d9
SHA2568674d5285cbbb6f5ff66339e53f25951b0a81d1e7884f8e15254b8861c4eac65
SHA51209fa6d8e08401e19899486a605aa2a514eabe23c85eeca9b124e9fc6df61ad75bca9e5fa0fe758ab76bfbaf22949c777cf2a47659650cb7b1f38e928f3e2ee23
-
memory/1288-13-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1288-16-0x0000000001470000-0x00000000014D6000-memory.dmpFilesize
408KB
-
memory/1288-20-0x00000000015D0000-0x000000000162F000-memory.dmpFilesize
380KB
-
memory/1288-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1288-30-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1288-35-0x000000000C640000-0x000000000C67C000-memory.dmpFilesize
240KB
-
memory/1288-36-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3572-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3572-1-0x0000000000150000-0x00000000001B6000-memory.dmpFilesize
408KB
-
memory/3572-2-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/3572-11-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB