Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 14:22
Behavioral task
behavioral1
Sample
d3ba7e49677a27af2ab5b031988266b0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d3ba7e49677a27af2ab5b031988266b0.exe
Resource
win10v2004-20240226-en
General
-
Target
d3ba7e49677a27af2ab5b031988266b0.exe
-
Size
1.3MB
-
MD5
d3ba7e49677a27af2ab5b031988266b0
-
SHA1
54cd1e5e5993e4e3c72bb54d62e82656166d82f5
-
SHA256
13e6301841c1df3d2bb2e30cb237afc8884d3ea9fcd5fea0946cc323325ad4e3
-
SHA512
8907c6e305cf68870f4d904ba0d6bd0bd2f5bd3ac4dc34e85f4b0348de2979afa935daca5444d7cc3349140b3ec4766fb4c876ac10811d3a6fe6c55a03fa7b8c
-
SSDEEP
24576:yuuL6vubqwK8TYZcxiw47ElfBCHrjB8gGhYCmHkjAQvG:IL6Sqa47ElsZ5GNA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1860 d3ba7e49677a27af2ab5b031988266b0.exe -
Executes dropped EXE 1 IoCs
pid Process 1860 d3ba7e49677a27af2ab5b031988266b0.exe -
resource yara_rule behavioral2/memory/1884-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/memory/1860-15-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x0004000000022747-13.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1884 d3ba7e49677a27af2ab5b031988266b0.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1884 d3ba7e49677a27af2ab5b031988266b0.exe 1860 d3ba7e49677a27af2ab5b031988266b0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1860 1884 d3ba7e49677a27af2ab5b031988266b0.exe 89 PID 1884 wrote to memory of 1860 1884 d3ba7e49677a27af2ab5b031988266b0.exe 89 PID 1884 wrote to memory of 1860 1884 d3ba7e49677a27af2ab5b031988266b0.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3ba7e49677a27af2ab5b031988266b0.exe"C:\Users\Admin\AppData\Local\Temp\d3ba7e49677a27af2ab5b031988266b0.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\d3ba7e49677a27af2ab5b031988266b0.exeC:\Users\Admin\AppData\Local\Temp\d3ba7e49677a27af2ab5b031988266b0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1860
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5c4fb12af237a634766733c9dc9931d7b
SHA18632271ea30d3cfd40c0f0771db3fcd682bb3f39
SHA25644a54ff4195a31c25e6183e3f1f72b709c49914d82cef9d36ef7c7499eda5bb5
SHA512f4745d6bfda723c088418356d4b53d7d984b42a803d788e3b5383f8956191380f6b7cd6e6cf6bcc79320d0daa4576873c53807289f58d1b06a019ce313054689