c4701a3d88fa6601ab20c839229c41ef494fac5376b6b035f855c12e80fab7a4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

baa903b29a866004e4929b60dc728ddb.exe
Size

4.8MB
MD5

baa903b29a866004e4929b60dc728ddb
SHA1

503f3f6150db9dcc9e9ad5816f73448ff6400de4
SHA256

c4701a3d88fa6601ab20c839229c41ef494fac5376b6b035f855c12e80fab7a4
SHA512

1b6187f91ab0361d86dbb7f649533574607258c73f2f9ea3e65a30dc0f28651c287db949eb56eda37b5d7f811fa7a2e1819cd4cb6b6a82c8ee0589e800566489
SSDEEP

98304:yffr8qYXZGcWtH3Btfgg3gnl/IVUs1jbKG9TdKAl2jzsgg3gnl/IVUs1jr:yfT0YVBtNgl/iBTTdll0zIgl/iBP

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2156	baa903b29a866004e4929b60dc728ddb.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	baa903b29a866004e4929b60dc728ddb.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	baa903b29a866004e4929b60dc728ddb.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x0009000000015b6f-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1364	baa903b29a866004e4929b60dc728ddb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1364	baa903b29a866004e4929b60dc728ddb.exe
2156	baa903b29a866004e4929b60dc728ddb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2156	1364	baa903b29a866004e4929b60dc728ddb.exe	28
PID 1364 wrote to memory of 2156	1364	baa903b29a866004e4929b60dc728ddb.exe	28
PID 1364 wrote to memory of 2156	1364	baa903b29a866004e4929b60dc728ddb.exe	28
PID 1364 wrote to memory of 2156	1364	baa903b29a866004e4929b60dc728ddb.exe	28

C:\Users\Admin\AppData\Local\Temp\baa903b29a866004e4929b60dc728ddb.exe
"C:\Users\Admin\AppData\Local\Temp\baa903b29a866004e4929b60dc728ddb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\baa903b29a866004e4929b60dc728ddb.exe
  C:\Users\Admin\AppData\Local\Temp\baa903b29a866004e4929b60dc728ddb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\baa903b29a866004e4929b60dc728ddb.exe

Filesize
4.8MB

MD5
8d726cea228b0c6ce7016143bc3f5a01

SHA1
a0d20fb8ff428b6adc7aaf13df24208c1757fbcb

SHA256
220d25de08f45265f1cb76129515933695759d8128dcd4ad1226ed1fb95ac78b

SHA512
3e14975224543e266e88f6129fab7d1c44f6cc6a47c346f1340c2fada57015e6e13d71b2ad5959d8356e520509eb6174862f40406f548c9fb62b5c52be029043

Download Submit
memory/1364-31-0x0000000003C70000-0x000000000415F000-memory.dmp

Filesize
4.9MB

Download
memory/1364-1-0x0000000000240000-0x0000000000373000-memory.dmp

Filesize
1.2MB

Download
memory/1364-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1364-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1364-15-0x0000000003C70000-0x000000000415F000-memory.dmp

Filesize
4.9MB

Download
memory/1364-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2156-17-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2156-19-0x00000000002B0000-0x00000000003E3000-memory.dmp

Filesize
1.2MB

Download
memory/2156-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2156-24-0x00000000032D0000-0x00000000034FA000-memory.dmp

Filesize
2.2MB

Download
memory/2156-16-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2156-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download