182e084c8e61ddeae641303038aa15ac80c9dd3879e56d069c5d9dbb1ec2611d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1c5717dfee369092a0cecf1effcbb9.exe
Size

280KB
MD5

bd1c5717dfee369092a0cecf1effcbb9
SHA1

729de70ca44289c063d4ff62d0688c7c6b3e19ec
SHA256

182e084c8e61ddeae641303038aa15ac80c9dd3879e56d069c5d9dbb1ec2611d
SHA512

c0e2c149346294ce5500a6bbb98f6bdcf44fe6e3dcfd16c448a667c03ccd691c6051d1a3078d6eb21d3eed84bd0cd672b7d40a3d93c43b06be62a697754c8f02
SSDEEP

6144:zbi5/PtiuDqWyyhoB6hU3amF83RoYAscW6uvuDv8EUZK:zOH/qWPhI6yKtBoVWxvuDvRF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	3063.tmp

Loads dropped DLL 3 IoCs

pid	Process
2032	bd1c5717dfee369092a0cecf1effcbb9.exe
2032	bd1c5717dfee369092a0cecf1effcbb9.exe
2032	bd1c5717dfee369092a0cecf1effcbb9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	bd1c5717dfee369092a0cecf1effcbb9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2360	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	28
PID 2032 wrote to memory of 2360	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	28
PID 2032 wrote to memory of 2360	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	28
PID 2032 wrote to memory of 2360	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	28
PID 2032 wrote to memory of 2476	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	29
PID 2032 wrote to memory of 2476	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	29
PID 2032 wrote to memory of 2476	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	29
PID 2032 wrote to memory of 2476	2032	bd1c5717dfee369092a0cecf1effcbb9.exe	29

C:\Users\Admin\AppData\Local\Temp\bd1c5717dfee369092a0cecf1effcbb9.exe
"C:\Users\Admin\AppData\Local\Temp\bd1c5717dfee369092a0cecf1effcbb9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\3063.tmp
  C:\Users\Admin\AppData\Local\Temp\3063.tmp
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\bd1c5717dfee369092a0cecf1effcbb9.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1c5717dfee369092a0cecf1effcbb9.exe" --cp "C:\Users\Admin\AppData\Local\Temp\3074.tmp"
  2⤵
  PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3074.tmp

Filesize
280KB

MD5
da2106ef131468b33764683b9649ead7

SHA1
4f449581d7e1304f804d9cf9859ff52ecfd0853b

SHA256
ee1c80cadd7c6bd8d2149300b8ba7bfaa61a3441b1deee5d56c08cb2ff048aa4

SHA512
5158d438644ece56e5c18403bd735c461e5eb3a1394095a6410bfe19cac1d9c24878633fccb79fb65e9511e3feccc6f5aff2cffc9d7aa75cd513552ba7965c07

Download Submit
\Users\Admin\AppData\Local\Temp\3063.tmp

Filesize
238KB

MD5
be1783d62bba6e0e477b46a9249ccaa0

SHA1
80e0eca7da761a5525916ae7afed4178f3e3c08b

SHA256
fdea32d9349a02e97d43d26ec68951c29570850830cd10c9cf32aa71502599b0

SHA512
4985fde7bc203c993f8713709601da6544538ee50f4bcec6d5fb789f9d020388e003c4f9cacb7a0edc828de68b5cd8ce528c3571e2e0dbb62032c4bc13b27e8e

Download Submit
memory/2032-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2032-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2032-16-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2032-18-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2032-19-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2032-17-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2360-22-0x0000000000400000-0x000000000043E670-memory.dmp

Filesize
249KB

Download
memory/2360-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download