Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 20:20
Behavioral task
behavioral1
Sample
b9910483a93ce128340c2c8f52f707f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9910483a93ce128340c2c8f52f707f9.exe
Resource
win10v2004-20240226-en
General
-
Target
b9910483a93ce128340c2c8f52f707f9.exe
-
Size
2.9MB
-
MD5
b9910483a93ce128340c2c8f52f707f9
-
SHA1
d805ee52b8546fe4047df2c156d5ea26f060b634
-
SHA256
270905ca19b8c1e8b9d2032a38338158d4e0fcf898eb0e0179e18dab080d22b5
-
SHA512
431afbaae1eecd1d5e1a7462ed0f453b2e34cbb6ffa21308b3b3f5e6f9fb26ae8ec7fe62f7a7e1a1bb20ff6fb2277823335cbbcc7fee5b4b54842cf63e66810a
-
SSDEEP
49152:p7duzulQx/vbDxwfIXoAxFHHN74NH5HUyNRcUsCVOzetdZJ:phP+Puf2JxFHH4HBUCczzM3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 812 b9910483a93ce128340c2c8f52f707f9.exe -
Executes dropped EXE 1 IoCs
pid Process 812 b9910483a93ce128340c2c8f52f707f9.exe -
resource yara_rule behavioral2/memory/408-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000300000001e9a0-11.dat upx behavioral2/memory/812-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 408 b9910483a93ce128340c2c8f52f707f9.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 408 b9910483a93ce128340c2c8f52f707f9.exe 812 b9910483a93ce128340c2c8f52f707f9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 408 wrote to memory of 812 408 b9910483a93ce128340c2c8f52f707f9.exe 89 PID 408 wrote to memory of 812 408 b9910483a93ce128340c2c8f52f707f9.exe 89 PID 408 wrote to memory of 812 408 b9910483a93ce128340c2c8f52f707f9.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe"C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exeC:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:812
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5fcb8777b957d53ed550d8fddf679e366
SHA124cb09963fc05b21aea607f0b72c4b177f41fcbe
SHA256d55269f643929b78c8229244f05356641d3ae67e11a822527f3ffb5552f4bade
SHA5123275190bfe5306e77348e737ee993e056d25905f2619ea3c6237a42f2ddfe031c02d347646114da84ed57315651308ab397b099520ba0072f42611ba8331ab9a