a41516a076e57cbaa454ee3cb1598cda04605638301dab909086dbe592708394

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6f71a2259cdccd72bd1d1f5c6b80bde.exe
Size

1.5MB
MD5

d6f71a2259cdccd72bd1d1f5c6b80bde
SHA1

66bfeaee0e2687be1a23ff395e8a3f3907e1838d
SHA256

a41516a076e57cbaa454ee3cb1598cda04605638301dab909086dbe592708394
SHA512

bb85da4e0222b00cf779b11bd3d93a5ac9162b8e1fb08fd86249d22093b3c78c51ecac256c8d6feaf962a8551204ac2110b881c7ecbc7b4d7be5ada616428d2d
SSDEEP

24576:RKZ34vK/gpFavxr3tiif1XWYaqnJpHhtYMjPoz4nJXhIbf/5yL+M0W:RMIve8Fto1QqltYFz4nHIQ6M0

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1640	d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Executes dropped EXE 1 IoCs

pid	Process
1640	d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x00090000000121cc-10.dat	upx
behavioral1/files/0x00090000000121cc-12.dat	upx
behavioral1/files/0x00090000000121cc-15.dat	upx
behavioral1/memory/1640-16-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe
1640	d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1640	1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe	28
PID 1900 wrote to memory of 1640	1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe	28
PID 1900 wrote to memory of 1640	1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe	28
PID 1900 wrote to memory of 1640	1900	d6f71a2259cdccd72bd1d1f5c6b80bde.exe	28

C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe
"C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe
  C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Filesize
320KB

MD5
e862b45ea0d9521536f19f67e73b2d43

SHA1
88a47d4e4100379731debd0fec32b59cd1231810

SHA256
f0cfaab0c96a1abd5703b0952e618118c433be3440ebabfc203b6d01f71ed4d2

SHA512
c2bc2bc15d9dbd615a9fadff1aad00bfdd033fecb009668c0ec2c9cb88de38a48d6946ec1e6c8e508c9ff01b403cd75844d9cb0b6d01fcfe28eb87d7492e0eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Filesize
1.5MB

MD5
3b1f28f563c32567aa43d5bf437b15f9

SHA1
80444b2d3dc898d17298701d7b3f5e5fc971e11c

SHA256
195e410d29f5c03fd9e61ee5c694006798da6e86b012292062b10b14b2a0659e

SHA512
87f661af96d98c63420ed65aacaba244651c3e7d94e782219aea41c92756708bddbe70897cf8443f07373dbab05bf1b3e4d5e7c69daba08c9466276030da3006

Download Submit
\Users\Admin\AppData\Local\Temp\d6f71a2259cdccd72bd1d1f5c6b80bde.exe

Filesize
384KB

MD5
5fe6b74224c3ffad0bf06de5431b935f

SHA1
0320628b7773bc4f33cf508fc9f1baf34e23d427

SHA256
3e270abfd360642ea2971e721cb373f6cda0081b06d4658e513e62c15692cf22

SHA512
869da4465f488eaae270b095c4fa2a599effa0ac9bcf3bd2dd21508dfdc460ca6eaa717b15794e8e46f1dba3749e94959529e1def80ea27888ac34a98442a401

Download Submit
memory/1640-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1640-18-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/1640-17-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1640-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1640-24-0x0000000003410000-0x000000000363A000-memory.dmp

Filesize
2.2MB

Download
memory/1640-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1900-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/1900-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1900-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1900-14-0x0000000003510000-0x00000000039FF000-memory.dmp

Filesize
4.9MB

Download
memory/1900-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download