Malware Analysis Report

2024-10-19 01:44

Sample ID 240328-gta49aef5y
Target edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.zip
SHA256 cfd27b3d61ad0cfcb0c5e31bb47144114b5ea37a7189a31bbf0c9ffa94e6f581
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cfd27b3d61ad0cfcb0c5e31bb47144114b5ea37a7189a31bbf0c9ffa94e6f581

Threat Level: Shows suspicious behavior

The file edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-28 06:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 06:05

Reported

2024-03-28 06:09

Platform

win7-20240221-en

Max time kernel

142s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe

"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp" /SL5="$8001C,15648808,1044992,C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

Network

N/A

Files

memory/2208-1-0x0000000000400000-0x000000000050C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp

MD5 7da27e20661e025f701f1f64927c70f8
SHA1 4d01eaaa7251e382c2b71f12af826c2575196188
SHA256 9742767b2de0c8c1305a2c3f712c76043ce6bba3f31beae7419fd64913abc3e5
SHA512 7e57d809f70844b67b0ee67ba0f2cca5ef5ee30680a9f7fd7d55a61f2cee1bfe61dbe490699955d5d94110e43bfc3f053d7ef3569788be17345d4ff4cb086019

memory/2780-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2208-10-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2780-11-0x0000000000400000-0x0000000000748000-memory.dmp

memory/2780-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2780-26-0x0000000000400000-0x0000000000748000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 06:05

Reported

2024-03-28 06:09

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe

"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp" /SL5="$5021C,15648808,1044992,C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2952-0-0x0000000000400000-0x000000000050C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp

MD5 7da27e20661e025f701f1f64927c70f8
SHA1 4d01eaaa7251e382c2b71f12af826c2575196188
SHA256 9742767b2de0c8c1305a2c3f712c76043ce6bba3f31beae7419fd64913abc3e5
SHA512 7e57d809f70844b67b0ee67ba0f2cca5ef5ee30680a9f7fd7d55a61f2cee1bfe61dbe490699955d5d94110e43bfc3f053d7ef3569788be17345d4ff4cb086019

memory/2984-5-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2952-7-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2984-8-0x0000000000400000-0x0000000000748000-memory.dmp

memory/2984-11-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2984-31-0x0000000000400000-0x0000000000748000-memory.dmp

memory/2984-35-0x0000000000400000-0x0000000000748000-memory.dmp