Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
be66117562e7407349f760c24f2ce06e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be66117562e7407349f760c24f2ce06e.exe
Resource
win10v2004-20240226-en
General
-
Target
be66117562e7407349f760c24f2ce06e.exe
-
Size
189KB
-
MD5
be66117562e7407349f760c24f2ce06e
-
SHA1
eab641157b93c85a1167ae873f0070ccb5ecbc96
-
SHA256
90e0d081a0014cf7ae16bf7a65c18ff848f9fa5e97fd82cdf931533ed419ae7e
-
SHA512
3a5489972cedf1110fccf0a2d1c89c327a528eb0e5b5e3a59bce3044e7273472798222da6395c6d54d470b81a8700c87432fb32589d2b355f88e473386030b7c
-
SSDEEP
3072:7i/5O3+EdruLh5T0vsvfN73W1/11OytH0sp5+D6qShDRMf9rcjEVqgjv/p:+xO3+Edr+5QUXccaH02G6qa86jOjHp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2696 ravsons.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2228 2696 WerFault.exe 95 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4000 wrote to memory of 2696 4000 be66117562e7407349f760c24f2ce06e.exe 95 PID 4000 wrote to memory of 2696 4000 be66117562e7407349f760c24f2ce06e.exe 95 PID 4000 wrote to memory of 2696 4000 be66117562e7407349f760c24f2ce06e.exe 95 PID 4000 wrote to memory of 4556 4000 be66117562e7407349f760c24f2ce06e.exe 101 PID 4000 wrote to memory of 4556 4000 be66117562e7407349f760c24f2ce06e.exe 101 PID 4000 wrote to memory of 4556 4000 be66117562e7407349f760c24f2ce06e.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe"C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\ravsons.exeC:\Users\Admin\AppData\Local\Temp\ravsons.exe2⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2363⤵
- Program crash
PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ddmtrayk2.bat2⤵PID:4556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2696 -ip 26961⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:81⤵PID:3312
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5d09220a16c12777bec368482e0514a56
SHA19dd7d372d0eb5a0b0cd5c15470b53a7ef4e2c458
SHA2569be83f98fc200661eb27158bf1255a8e4042889afbb53fc3a6783583f7e14426
SHA5128072c722a34d82d7da0dd23e96e94dfb92b3b57c3d8d1aff1a0e6ffa8875eefa190654b9547ae37820374d23885799b319e9b53da974aacd5b731b6bcb4c238b
-
Filesize
100KB
MD5679b974554505fdacd8c79eae2735664
SHA15975cbab2aae0c10e676dcc51f9cedef5db4413d
SHA256d9be6be8ac93fc7e4d1469a97863e6d1b0501c03f5bdd82df4632a52aa5a2bc3
SHA512653cc0755e0ce3bb448e10c5ac3f582b3a1d0aeeb6c1dc0ad586adfc500ca5b6a68bc0e0fd4bc9851d8c78448be1d149d3cc896d439627da2aeff13736ef1427