3a6fe2e056ccfeead8d38f2347db08d385a087fa8d17f6a8183e5cc10baaff98

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee9927780245873a179f0ac37e2e20f.exe
Size

3.9MB
MD5

dee9927780245873a179f0ac37e2e20f
SHA1

292e6dc6193983f2dc4240fb9ae94cf61d4f1bcd
SHA256

3a6fe2e056ccfeead8d38f2347db08d385a087fa8d17f6a8183e5cc10baaff98
SHA512

b3bb6bd21f2466c303e7ad4eb68ddc0524f2b0b351b39af74282d0ebc857590a9d0f09cb264c58ee86dcef34f4f195dcc32fd3d68377a8dc6b8a9f1e84e06a00
SSDEEP

98304:wgVp7D0Jl4Megg3gnl/IVUt4pJWzZtIygg3gnl/IVUV:wIn0Jl4Mqgl/iwgWttJgl/iG

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1632	dee9927780245873a179f0ac37e2e20f.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	dee9927780245873a179f0ac37e2e20f.exe

Loads dropped DLL 1 IoCs

pid	Process
824	dee9927780245873a179f0ac37e2e20f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/824-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x000c0000000122f0-13.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
824	dee9927780245873a179f0ac37e2e20f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
824	dee9927780245873a179f0ac37e2e20f.exe
1632	dee9927780245873a179f0ac37e2e20f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1632	824	dee9927780245873a179f0ac37e2e20f.exe	28
PID 824 wrote to memory of 1632	824	dee9927780245873a179f0ac37e2e20f.exe	28
PID 824 wrote to memory of 1632	824	dee9927780245873a179f0ac37e2e20f.exe	28
PID 824 wrote to memory of 1632	824	dee9927780245873a179f0ac37e2e20f.exe	28

C:\Users\Admin\AppData\Local\Temp\dee9927780245873a179f0ac37e2e20f.exe
"C:\Users\Admin\AppData\Local\Temp\dee9927780245873a179f0ac37e2e20f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\dee9927780245873a179f0ac37e2e20f.exe
  C:\Users\Admin\AppData\Local\Temp\dee9927780245873a179f0ac37e2e20f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dee9927780245873a179f0ac37e2e20f.exe

Filesize
3.9MB

MD5
b301be73ee0d19fd38a6a8919c7c2d44

SHA1
45f36f4c9a6261746e424c32302fa79f751d6bde

SHA256
2ec9ec895d2177dc8f8766209b30766593d3dd8ae43edaea317f761c43bf9e16

SHA512
a02d547673d5f1e67b65755812084efd7594598c38e25666d239975c408181d0f83c156726e1190d480c8b0af8d32ca4c6acd13b8be8f87c49b18a1b88d59d3d

Download Submit
memory/824-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/824-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/824-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/824-15-0x00000000039F0000-0x0000000003EDF000-memory.dmp

Filesize
4.9MB

Download
memory/824-31-0x00000000039F0000-0x0000000003EDF000-memory.dmp

Filesize
4.9MB

Download
memory/824-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1632-16-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1632-19-0x0000000000260000-0x0000000000393000-memory.dmp

Filesize
1.2MB

Download
memory/1632-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1632-24-0x0000000003680000-0x00000000038AA000-memory.dmp

Filesize
2.2MB

Download
memory/1632-17-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1632-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download