d1e127a9aa796d28f59e6ec97049f7024e0053b5fa5d8c71dc12e89161c6b161

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a121ff9be7bd71627861f3ca11a85e43.exe
Size

1.5MB
MD5

a121ff9be7bd71627861f3ca11a85e43
SHA1

6a35d0ae71764af69b19cf9459e70eb2348ba02c
SHA256

d1e127a9aa796d28f59e6ec97049f7024e0053b5fa5d8c71dc12e89161c6b161
SHA512

40d99a65e953cd417d66edea43ac1fb31717bfe0cc25c7cfabbd0dd2b0e7ee3902ae078841d3c8029fdf312a4c94028020fdc6897c4029f1c57411f352871e24
SSDEEP

24576:tBvFqdmmSX8ryT+H1BrFX0hpo2Z4zChyxUaJLymtYPWW:t5Qh8myTQUhpfZ4zCqrLGW

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3016	a121ff9be7bd71627861f3ca11a85e43.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	a121ff9be7bd71627861f3ca11a85e43.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	a121ff9be7bd71627861f3ca11a85e43.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x000900000001224d-10.dat	upx
behavioral1/files/0x000900000001224d-12.dat	upx
behavioral1/files/0x000900000001224d-15.dat	upx
behavioral1/memory/3016-16-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	a121ff9be7bd71627861f3ca11a85e43.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	a121ff9be7bd71627861f3ca11a85e43.exe
3016	a121ff9be7bd71627861f3ca11a85e43.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3016	3028	a121ff9be7bd71627861f3ca11a85e43.exe	28
PID 3028 wrote to memory of 3016	3028	a121ff9be7bd71627861f3ca11a85e43.exe	28
PID 3028 wrote to memory of 3016	3028	a121ff9be7bd71627861f3ca11a85e43.exe	28
PID 3028 wrote to memory of 3016	3028	a121ff9be7bd71627861f3ca11a85e43.exe	28

C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe
"C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe
  C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe

Filesize
1.5MB

MD5
ee658b652dc7dd2ea2ca4d53f4d0d7b2

SHA1
096f1b01295535959bfb801135cdba5dc8d8cdc4

SHA256
492fd283d1b18bb6c960974796cd1f4c49a50328bec2f26ef872a2b2fcdfddf6

SHA512
8313fe82abe588ad19387acd6079c05c60cbf5fe4f5465ec8582f9143542522bba1ab4d1b56a9337128ab53f32d8dbfa9a9a1e69cc6225124ad7dc6dad75ae2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe

Filesize
716KB

MD5
637add793c8d694884b4e3c56a3ed329

SHA1
9afb9cea54002dfaab650320cb849a262cb860aa

SHA256
f2d57c94efa25647008521b8554ed332d4f323ed62de1b9fefec0c936153fe28

SHA512
e4971d55f634e3e5dec5839bd1da58b6720fdc4c80cce96f165523cb6ad35be6e26fe16bb415fa5ed14dd161baa7415421f8594e1a7e26b54f2f4a48d562ccf5

Download Submit
\Users\Admin\AppData\Local\Temp\a121ff9be7bd71627861f3ca11a85e43.exe

Filesize
1.2MB

MD5
034e8d0bdbc0eb5c822cd51c4d21035e

SHA1
2cc1e9a7e79036614e4eeb7052fe079a271c177e

SHA256
5b26c5a1d86b6d33691d2230da18eb9e4c2d7b5c72adf6f66db830814ccd0a73

SHA512
71c304af4efc1d828b85739708e3abfb5b87de2bb63873c49551e370781ee6c03607813d3f384559d33e96caf8b474a6657902fa818fc40b964e8d1af7ce59b1

Download Submit
memory/3016-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/3016-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3016-24-0x00000000035A0000-0x00000000037CA000-memory.dmp

Filesize
2.2MB

Download
memory/3016-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3016-17-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3016-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3028-14-0x0000000003800000-0x0000000003CEF000-memory.dmp

Filesize
4.9MB

Download
memory/3028-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3028-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3028-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3028-31-0x0000000003800000-0x0000000003CEF000-memory.dmp

Filesize
4.9MB

Download
memory/3028-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download