Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 06:14
Behavioral task
behavioral1
Sample
a315a8e4b26288c75f450072835251f1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a315a8e4b26288c75f450072835251f1.exe
Resource
win10v2004-20240221-en
General
-
Target
a315a8e4b26288c75f450072835251f1.exe
-
Size
5.5MB
-
MD5
a315a8e4b26288c75f450072835251f1
-
SHA1
6dd6fb1e604fc0b10bbdbc73ff5f65aa3a93461a
-
SHA256
bedc22b00fad7e6d2aa970363ecce95aac1dd5fa76c41160a995be672d8fdf91
-
SHA512
008cef181d02a0bc75206eac904ecc29366db2500887c6cb0661775aa1163f410bf762d55f3809fc4146191aadaf8f195c68c9ee2dc34a138243f21706d45dab
-
SSDEEP
98304:9I7CZFpDpvdIWXe+q2WWmQNfTBBGzQuKLQ59PzNYMA+M7lQVE9RjBUUqC:9IuZfDpd9e+q2WWmQNLBBGZlrO9QORiZ
Malware Config
Signatures
-
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe cmd.exe -
Loads dropped DLL 14 IoCs
pid Process 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe 1724 a315a8e4b26288c75f450072835251f1.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000600000002322f-48.dat pyinstaller -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 35 1724 a315a8e4b26288c75f450072835251f1.exe Token: SeDebugPrivilege 224 whoami.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3912 wrote to memory of 1724 3912 a315a8e4b26288c75f450072835251f1.exe 88 PID 3912 wrote to memory of 1724 3912 a315a8e4b26288c75f450072835251f1.exe 88 PID 1724 wrote to memory of 2668 1724 a315a8e4b26288c75f450072835251f1.exe 90 PID 1724 wrote to memory of 2668 1724 a315a8e4b26288c75f450072835251f1.exe 90 PID 2668 wrote to memory of 224 2668 cmd.exe 93 PID 2668 wrote to memory of 224 2668 cmd.exe 93 PID 1724 wrote to memory of 3096 1724 a315a8e4b26288c75f450072835251f1.exe 95 PID 1724 wrote to memory of 3096 1724 a315a8e4b26288c75f450072835251f1.exe 95 PID 3096 wrote to memory of 3480 3096 cmd.exe 96 PID 3096 wrote to memory of 3480 3096 cmd.exe 96 PID 1724 wrote to memory of 1832 1724 a315a8e4b26288c75f450072835251f1.exe 97 PID 1724 wrote to memory of 1832 1724 a315a8e4b26288c75f450072835251f1.exe 97 PID 1724 wrote to memory of 2772 1724 a315a8e4b26288c75f450072835251f1.exe 102 PID 1724 wrote to memory of 2772 1724 a315a8e4b26288c75f450072835251f1.exe 102 PID 1724 wrote to memory of 2468 1724 a315a8e4b26288c75f450072835251f1.exe 107 PID 1724 wrote to memory of 2468 1724 a315a8e4b26288c75f450072835251f1.exe 107 PID 1724 wrote to memory of 2972 1724 a315a8e4b26288c75f450072835251f1.exe 109 PID 1724 wrote to memory of 2972 1724 a315a8e4b26288c75f450072835251f1.exe 109 PID 1724 wrote to memory of 2404 1724 a315a8e4b26288c75f450072835251f1.exe 111 PID 1724 wrote to memory of 2404 1724 a315a8e4b26288c75f450072835251f1.exe 111 PID 1724 wrote to memory of 4856 1724 a315a8e4b26288c75f450072835251f1.exe 113 PID 1724 wrote to memory of 4856 1724 a315a8e4b26288c75f450072835251f1.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "whoami"3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\whoami.exewhoami4⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "hostname"3⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\HOSTNAME.EXEhostname4⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""3⤵
- Drops startup file
PID:4856
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
87KB
MD5429ad9f0d7240a1eb9c108b2d7c1382f
SHA1f54e1c1d31f5dd6698e47750daf48b9291b9ea69
SHA256d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38
SHA512bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760
-
Filesize
130KB
MD5985d2c5623def9d80d1408c01a8628be
SHA1317c298cb2e1728f9c7f14de2f7764c9861be101
SHA2567257178f704cd43e68cd7bc80f9814385b2e5d4f35d6e198ae99dce9f4118976
SHA512be6a9d3465a5e00e6752a4b681fb8ef75126b132965624d4373b8817d68ed11337b068034ebedcfe59fb9486b86a03e67e81badc29375a776f366bf7f834f0dc
-
Filesize
38KB
MD5d61618c28373d7bbdf1dec7ec2b2b1c1
SHA151f4bab84620752aedf7d71dcccb577ed518e9fd
SHA25633c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb
SHA512ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de
-
Filesize
251KB
MD55e7a6b749a05dd934ee4471411420053
SHA1fcd1e54011b98928edbb3820a5838568b9573453
SHA2564dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742
SHA512ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2
-
Filesize
27KB
MD53f536949d0fcae286b08f6a90d4c5198
SHA104877dff7e8c994e4875a1b85b7388684b97da25
SHA256613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a
SHA512cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c
-
Filesize
74KB
MD57c5c5e6e4ed888dd26c7aa063bb9f88e
SHA1a7a3694739b27c3d34beb1a9730fc3dcbae6744a
SHA2562bb4e5d711fe521e2c9a80f04d2f745f58561dc35f169e06ea17aabf27d334fe
SHA5129c49c3fe740464f649a0379bdc6bc474cce6a1331f87d2ba2ab489c4545ad7cb311c757af59e8174bb3c87af438a5d47621bd9b2b4750abe128d189d14d80065
-
Filesize
120KB
MD5a3c9649e68206c25eff2d09a0bd323f0
SHA10f485f37ac3960da624b80667410061efe1f888d
SHA256b9100db5d225c4103f781a6ea4074ce76387467c3a4bba2ac5bfc65870ab6123
SHA512aeef27bf73cb7dd96b06c3403fc74c108a8a7d80aa25db35a4b1a96b8931aef63b3037a9a51075ead1e5ad1c001d6afe6f3c3e19af30344177fd562751b00d63
-
Filesize
760KB
MD5f1c1030e6ac4e315ede96b546e9b5612
SHA1c8d6da2cd10710f117b7aabe57a71e43a5bdf1d1
SHA25661cc67509028bbd220d77e009e1145dbecd32e7ed20e22018c751f37010d0951
SHA5123728885f42039f94e356f59d6fe1ed2d7b20239f247d2a3477a1ebd917da24bb70ca94482ef35d66180a216c052c976d8dafd7a563c54afa5cbd123b266f2dc0
-
Filesize
257KB
MD51ba3b44f73a6b25711063ea5232f4883
SHA11b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA5120dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b
-
Filesize
2.4MB
MD58c75bca5ea3bea4d63f52369e3694d01
SHA1a0c0fd3d9e5688d75386094979171dbde2ce583a
SHA2568513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0
SHA5126d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5
-
Filesize
511KB
MD50205c08024bf4bb892b9f31d751531a0
SHA160875676bc6f2494f052769aa7d644ef4a28c5e5
SHA256ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b
SHA51245da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0
-
Filesize
3.6MB
MD528f9065753cc9436305485567ce894b0
SHA136ebb3188a787b63fb17bd01a847511c7b15e88e
SHA2566f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54
-
Filesize
26KB
MD51650617f3378c5bd469906ae1256a54c
SHA1dd89ffd426b6820fd79631e4c99760cb485d3a67
SHA2565724cea789a2ebc148ce277ce042e27432603db2ec64e80b13d37bcb775aee98
SHA51289ecbbf156e2be066c7d4e3e0ecd08c2704b6a796079517c91cf4aa6682040ba07460596aaddc5550c6ec588979dfec010fed4b87e049000caceed26e8f86ffe
-
Filesize
1.0MB
MD52b2156a32b7ef46906517ae49a599c16
SHA1892134a20f118d9326da6c1b98c01f31d771a5d1
SHA2562c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418
SHA512d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe
Filesize5.5MB
MD5a315a8e4b26288c75f450072835251f1
SHA16dd6fb1e604fc0b10bbdbc73ff5f65aa3a93461a
SHA256bedc22b00fad7e6d2aa970363ecce95aac1dd5fa76c41160a995be672d8fdf91
SHA512008cef181d02a0bc75206eac904ecc29366db2500887c6cb0661775aa1163f410bf762d55f3809fc4146191aadaf8f195c68c9ee2dc34a138243f21706d45dab