Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 12:10
Behavioral task
behavioral1
Sample
b8b391dfda10a19f7dee154c7b4396dd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b8b391dfda10a19f7dee154c7b4396dd.exe
Resource
win10v2004-20240226-en
General
-
Target
b8b391dfda10a19f7dee154c7b4396dd.exe
-
Size
2.7MB
-
MD5
b8b391dfda10a19f7dee154c7b4396dd
-
SHA1
dff59003c2a395493dcc3eecf38f74ae2aad9d93
-
SHA256
f43876d45e2792b4e94cc6b2ec125859ec51be4a22b8578aed2e92d073ea57c2
-
SHA512
131a231c47054dce9fe1244ee886c566bac65e945260c9b2c951b8f7547a7a732c1dbdea295cbcac8bcfaa4f1219d5a0cb03d6b3ef69b5757f45e4749ea8b155
-
SSDEEP
49152:fYIELe0g+0KGvizMy3dVcEk+naa71XkziW1LuXHmZGs/U:DELe9+HGUMy3dqZ+nJ0/9uXGZpU
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2120 b8b391dfda10a19f7dee154c7b4396dd.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 b8b391dfda10a19f7dee154c7b4396dd.exe -
resource yara_rule behavioral2/memory/5072-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x000600000002271f-13.dat upx behavioral2/memory/2120-15-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5072 b8b391dfda10a19f7dee154c7b4396dd.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5072 b8b391dfda10a19f7dee154c7b4396dd.exe 2120 b8b391dfda10a19f7dee154c7b4396dd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5072 wrote to memory of 2120 5072 b8b391dfda10a19f7dee154c7b4396dd.exe 98 PID 5072 wrote to memory of 2120 5072 b8b391dfda10a19f7dee154c7b4396dd.exe 98 PID 5072 wrote to memory of 2120 5072 b8b391dfda10a19f7dee154c7b4396dd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b391dfda10a19f7dee154c7b4396dd.exe"C:\Users\Admin\AppData\Local\Temp\b8b391dfda10a19f7dee154c7b4396dd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\b8b391dfda10a19f7dee154c7b4396dd.exeC:\Users\Admin\AppData\Local\Temp\b8b391dfda10a19f7dee154c7b4396dd.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:4004
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD55bc782348ebb8207eef285f9f9d676e6
SHA11dd05575cb41ccda3b2876a83db2da0557b7eec6
SHA256cdcbe0dc27da673f59c506eb68680a4b074c6ee7813956ee8f5bb0d5de832245
SHA51205acd51976bb996a381e31904e1ad27e7eba14a61d11227a241a3f955cbba87bb754db9949f5146e878b721117b7ceb56db3827b954f8f516d7be88ba73e3744