1fe8ea82da779acd9a142c238d4624b444176e1ce54fbd5689c47406357dbd78

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1bd141dc7d48128d27f10ff1b27f5b3.exe
Size

2.9MB
MD5

e1bd141dc7d48128d27f10ff1b27f5b3
SHA1

1b90835a7f3a1a3f05d7bb84c287eb31650b7b33
SHA256

1fe8ea82da779acd9a142c238d4624b444176e1ce54fbd5689c47406357dbd78
SHA512

f92fac630c39df3e6e309e397291e55b10410b751e9c0740b3f2ae31ad2be6128d825fe8138dca77136042f5fb87af2a73686cfe5ea4409e3919eb8d8a5eb6e2
SSDEEP

49152:Y4hBPcz45QXs1iJ+S/SjiMOmN74NH5HUyNRcUsCVOzetdZJ:DBcVs1s+S/Sjpb4HBUCczzM3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	e1bd141dc7d48128d27f10ff1b27f5b3.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	e1bd141dc7d48128d27f10ff1b27f5b3.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x000b00000001224c-10.dat	upx
behavioral1/files/0x000b00000001224c-13.dat	upx
behavioral1/files/0x000b00000001224c-12.dat	upx
behavioral1/memory/3012-15-0x00000000038F0000-0x0000000003DDF000-memory.dmp	upx
behavioral1/memory/2992-16-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe
2992	e1bd141dc7d48128d27f10ff1b27f5b3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2992	3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe	28
PID 3012 wrote to memory of 2992	3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe	28
PID 3012 wrote to memory of 2992	3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe	28
PID 3012 wrote to memory of 2992	3012	e1bd141dc7d48128d27f10ff1b27f5b3.exe	28

C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe
"C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe
  C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe

Filesize
818KB

MD5
3600c415e6dbee468688bc05e926918c

SHA1
8b5f7b09382d3380edc2dc2a99b48d15fc113f3a

SHA256
dbc0b0890ba486afd4b477665b03486491d490a791065e8521032c55e1eabe30

SHA512
721b420bee40ebd03c7843536a593915bd1d80fc5fe33df586e242310d4c2ac22ee2aeb2a183065ba9409cc44831a0dcb54e167905a52e2698350833a0cac128

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe

Filesize
294KB

MD5
20c1d463bb6d01fd0988e65ff39ee4d4

SHA1
8714a4ad5041d03f8dc89d196475a703068d8a8e

SHA256
5621e358d6e7d86b6b33dc4631e73aff114200c7cf3d3f9b84a477def1cba466

SHA512
4b22506dfa6e25c9b8753f629bbeb6c0d3478f9eceda1f46a4898124aee11fd0a4aff4d7006f9d6a847f570a56a7b0b7dc1982792723103acb2649572748c8bf

Download Submit
\Users\Admin\AppData\Local\Temp\e1bd141dc7d48128d27f10ff1b27f5b3.exe

Filesize
561KB

MD5
4b7eeb9cd3394a29b1f2a4ff4d41d77f

SHA1
69c67d475cfb65c224535c31a362db685a6add98

SHA256
515247973ca9da4419bd3c0b4bdebe2b2138407656c69ad974c2a1ac271f593d

SHA512
079b5c5dc91e03077916b3e428c91d4d0cd1c8b26a8273267ff7d4db51089cdb6a0e79fb234f8877e08648c63edee84f65bf61f2589b1cc3b7e86b0158f190a4

Download Submit
memory/2992-17-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2992-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2992-18-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/2992-24-0x0000000003410000-0x000000000363A000-memory.dmp

Filesize
2.2MB

Download
memory/2992-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2992-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3012-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3012-2-0x0000000000280000-0x00000000003B3000-memory.dmp

Filesize
1.2MB

Download
memory/3012-15-0x00000000038F0000-0x0000000003DDF000-memory.dmp

Filesize
4.9MB

Download
memory/3012-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3012-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3012-31-0x00000000038F0000-0x0000000003DDF000-memory.dmp

Filesize
4.9MB

Download