Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe
Resource
win10v2004-20240226-en
General
-
Target
59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe
-
Size
5.8MB
-
MD5
42540d763e2a86afafdfafefa148f6a3
-
SHA1
a4b73cf5cc73ac23bbc2e244f3f588beba1c1f0f
-
SHA256
59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f
-
SHA512
ae8d1a3180df54905f1488b9368aa96828ee4dd202d8fbd41bd133104e44470ac9e4eeb856b87735fb0ebd9013bde2cbc0c93546e95172e042838d118ed695a4
-
SSDEEP
98304:ykL2O7g1QAwx2ILfi3ecuP5FHmpURWNSQiTOt29s4C1eH9n:d2OeW2wFlnuI6t5o9n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2644 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2644 1376 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe 85 PID 1376 wrote to memory of 2644 1376 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe 85 PID 1376 wrote to memory of 2644 1376 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe 85 PID 2644 wrote to memory of 868 2644 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp 94 PID 2644 wrote to memory of 868 2644 59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp 94 PID 868 wrote to memory of 3184 868 cmd.exe 96 PID 868 wrote to memory of 3184 868 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe"C:\Users\Admin\AppData\Local\Temp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\is-IAUGU.tmp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp"C:\Users\Admin\AppData\Local\Temp\is-IAUGU.tmp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp" /SL5="$5021C,5137597,832512,C:\Users\Admin\AppData\Local\Temp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C dotnet --list-runtimes > "C:\Users\Admin\AppData\Local\Temp\is-PDD75.tmp\dotnet.txt" 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵PID:3184
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-IAUGU.tmp\59195ef2b4eba73748115fab9291ae3a7bc390f1e450f2037e5dfdf818c0ef5f.tmp
Filesize3.1MB
MD5ee296b2e0a935aa6a1bb7344673cd74a
SHA1febf43c2f460e4d50beb2d06011a6b59eb3f5944
SHA25627f5c273960827096d3167cb43ca06a56f7822ff18e7bf22a99a7d49ca2cbb0c
SHA512858714a1c82e233555349ec50930bf2b6a351239174613f0d70439e4d444522e8cb48871d6ae32fe7fbde9c20b34cce699d15e0a0175ef6c8e3dee1d449faa97
-
Filesize
366B
MD51075c141a2530622f98be53ecefe24e2
SHA127039fdf81b61156f5286dbca9741ba639933baa
SHA256de15e864f69de3017a002c84dbae0448010f8d67b96fc39d613a171e414555aa
SHA51266f5fc762c1085706bf7c006a2dbff7aa7b9d89cfba8c3ecaae6ef36a1201f4de7e09237919aafe9bf593e1b73ee063d401695cd6054dce8bb24cde9e35e0270