Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
be66117562e7407349f760c24f2ce06e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be66117562e7407349f760c24f2ce06e.exe
Resource
win10v2004-20240226-en
General
-
Target
be66117562e7407349f760c24f2ce06e.exe
-
Size
189KB
-
MD5
be66117562e7407349f760c24f2ce06e
-
SHA1
eab641157b93c85a1167ae873f0070ccb5ecbc96
-
SHA256
90e0d081a0014cf7ae16bf7a65c18ff848f9fa5e97fd82cdf931533ed419ae7e
-
SHA512
3a5489972cedf1110fccf0a2d1c89c327a528eb0e5b5e3a59bce3044e7273472798222da6395c6d54d470b81a8700c87432fb32589d2b355f88e473386030b7c
-
SSDEEP
3072:7i/5O3+EdruLh5T0vsvfN73W1/11OytH0sp5+D6qShDRMf9rcjEVqgjv/p:+xO3+Edr+5QUXccaH02G6qa86jOjHp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2556 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 ravsons.exe -
Loads dropped DLL 6 IoCs
pid Process 2016 be66117562e7407349f760c24f2ce06e.exe 2016 be66117562e7407349f760c24f2ce06e.exe 2480 WerFault.exe 2480 WerFault.exe 2480 WerFault.exe 2480 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2480 2064 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2064 2016 be66117562e7407349f760c24f2ce06e.exe 28 PID 2016 wrote to memory of 2064 2016 be66117562e7407349f760c24f2ce06e.exe 28 PID 2016 wrote to memory of 2064 2016 be66117562e7407349f760c24f2ce06e.exe 28 PID 2016 wrote to memory of 2064 2016 be66117562e7407349f760c24f2ce06e.exe 28 PID 2064 wrote to memory of 2480 2064 ravsons.exe 29 PID 2064 wrote to memory of 2480 2064 ravsons.exe 29 PID 2064 wrote to memory of 2480 2064 ravsons.exe 29 PID 2064 wrote to memory of 2480 2064 ravsons.exe 29 PID 2016 wrote to memory of 2556 2016 be66117562e7407349f760c24f2ce06e.exe 30 PID 2016 wrote to memory of 2556 2016 be66117562e7407349f760c24f2ce06e.exe 30 PID 2016 wrote to memory of 2556 2016 be66117562e7407349f760c24f2ce06e.exe 30 PID 2016 wrote to memory of 2556 2016 be66117562e7407349f760c24f2ce06e.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe"C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\ravsons.exeC:\Users\Admin\AppData\Local\Temp\ravsons.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 443⤵
- Loads dropped DLL
- Program crash
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ddmtrayk2.bat2⤵
- Deletes itself
PID:2556
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5d09220a16c12777bec368482e0514a56
SHA19dd7d372d0eb5a0b0cd5c15470b53a7ef4e2c458
SHA2569be83f98fc200661eb27158bf1255a8e4042889afbb53fc3a6783583f7e14426
SHA5128072c722a34d82d7da0dd23e96e94dfb92b3b57c3d8d1aff1a0e6ffa8875eefa190654b9547ae37820374d23885799b319e9b53da974aacd5b731b6bcb4c238b
-
Filesize
100KB
MD5679b974554505fdacd8c79eae2735664
SHA15975cbab2aae0c10e676dcc51f9cedef5db4413d
SHA256d9be6be8ac93fc7e4d1469a97863e6d1b0501c03f5bdd82df4632a52aa5a2bc3
SHA512653cc0755e0ce3bb448e10c5ac3f582b3a1d0aeeb6c1dc0ad586adfc500ca5b6a68bc0e0fd4bc9851d8c78448be1d149d3cc896d439627da2aeff13736ef1427