Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
def456b9b481b210ab6ee7e26b75d32e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
def456b9b481b210ab6ee7e26b75d32e.exe
Resource
win10v2004-20240226-en
General
-
Target
def456b9b481b210ab6ee7e26b75d32e.exe
-
Size
241KB
-
MD5
def456b9b481b210ab6ee7e26b75d32e
-
SHA1
05823d63ac1c738b55c3a23e53ec1fa411609a5e
-
SHA256
d427f23a8f25e6b92f4731873f9f25a996a91b97c15d94630a4edc75af5f49e5
-
SHA512
c92d27523b49cf11219352efd071ff1010570874ace16628a1f3864f9e86ec58f823f67ba51a0d0ece0e6944d192dacbb60f1e1ef0bbe3116a852110758c0352
-
SSDEEP
6144:pRgym92YGB+40vPLGPA4VyKgachomI69VaxY5:j6fu+40vPMV219Vj5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2552 winvnc.exe -
Loads dropped DLL 5 IoCs
pid Process 292 def456b9b481b210ab6ee7e26b75d32e.exe 292 def456b9b481b210ab6ee7e26b75d32e.exe 2552 winvnc.exe 2552 winvnc.exe 2552 winvnc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2552 winvnc.exe 2552 winvnc.exe 2552 winvnc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2552 winvnc.exe 2552 winvnc.exe 2552 winvnc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28 PID 292 wrote to memory of 2552 292 def456b9b481b210ab6ee7e26b75d32e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\def456b9b481b210ab6ee7e26b75d32e.exe"C:\Users\Admin\AppData\Local\Temp\def456b9b481b210ab6ee7e26b75d32e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Local\Temp\7zS1371.tmp\winvnc.exe.\winvnc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5392e960df38569460b5fb11e43a28623
SHA10eea9f3514d67a386fc8258c1d045dd8da3b1813
SHA2566cf43afe37a9080ce304c09bdfe0d4c69babc8580a7b691f23d6db7195e09388
SHA51209abe116364a16511c88f4bd2cb882d1f411e736a48a2f0293f7b90e18bc847c794e94e3e7a9cff180daa5a9302dd70b0b194a391b4d1d13bda97f0e38c9f2df
-
Filesize
841B
MD5f118121cbb7c2103822143e4fae81631
SHA106fb90412b01db7facdfb7801eed83370b1dff21
SHA25628ce3a83b14e6156bd29fedd6d5a836ff758800dad4618322c3e0dde5b4663d6
SHA512d16ec19ce97dc2b8ac8711554d273aed350b7df8b7d759ba42dc15874ae92293640d13519b9d471031843f9ab4bf649d887bef5ab085190f8b99c920da670037
-
Filesize
4KB
MD5d8e7b12228ae7bdf0f0f66cee3c27967
SHA1d32707e36dff8b76b39d4cc06a78178b79c5bb07
SHA256faac430a88536a332673175ec870aca0dd35a4a383af6e13eeecad18f4759b16
SHA512aa93e70cd570399879331cd3fb84abf14ee3c9e458bdd3a62660c81b88ffdd8ccb65c54bb010ae074aa56280dbd7ff041ab756e6630a3554b4bdaa4d241738ad
-
Filesize
4KB
MD5984e93fc7cb70c16fa6a832c5b4dcb2b
SHA1320996080dd7690d793b097d4420a235d6b91e12
SHA256262429e8b1eb39b1ef18e838cfe6783beac7be0f0135c868a64edd3182c1f398
SHA51227f881f1eaeed768719a6c0c48c628d001209d4da1917372e8a84b73e13a435fe2693fe16fdb46c3cb8634155354f101ba2af201104fbedf64f58a42091a35ee
-
Filesize
7KB
MD5aa16611219470c1e94aef22310295649
SHA1b64841ebc0fd82663063a65e4b9c59ec349fbce1
SHA2564db648774a03ec2718c1969f262f8e2effe2188fb46b34517ad83d8ce3fd98a0
SHA51246907cf43a7213eea22e786c092418de7a5a887a59a775229a65e9c7f4927a521e54eea56e5ea60c80fddb160ecf0c076b446892fc38549b1dc590670c22d7a9
-
Filesize
240KB
MD5b4c64a5fda48e9c4ff91d7e7d93ddf5b
SHA1264dc61352a26ca136d8206ee40b58824a63ade7
SHA256d7a8b19d476c351b7f04b0582494b4153a2580d89af233d1f1db7ad46b9a947f
SHA5126e39c5432b064cfe190d14fe7bfc4b1ccfc3008bd18b1b98c10bcd666724a6a00650250055eea082ff5bc0007024dd0cc131aa109ed606952492f051e25f8c63