Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
Isisvideo.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Isisvideo.exe
Resource
win10v2004-20240412-en
General
-
Target
Isisvideo.exe
-
Size
55KB
-
MD5
e75eef82eba9fb4946d6e9d42abd4fe5
-
SHA1
e1bc20e9648028ceca5a5f27549ac0c13aeb23f4
-
SHA256
edbf9376617abec8a3f8ca5726171917c6c690ca9471f38421cfcaab2e79a467
-
SHA512
0869606a04aac1a46572e1366855cbb711e1bd92950dfb9924fc1cfb17188529e6bf542e9213d20373f86c0628f587efd9891ba8125a6992b61833c189fa5469
-
SSDEEP
1536:x1qTXQOp6mG/Lqa823grKUfMQ7UnPQ1Bx:ozp6mOZ8ZhfNUnPQx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5068 pokemon.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3632 ipconfig.exe 2188 ipconfig.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4312 wrote to memory of 3008 4312 Isisvideo.exe 86 PID 4312 wrote to memory of 3008 4312 Isisvideo.exe 86 PID 4312 wrote to memory of 3008 4312 Isisvideo.exe 86 PID 4312 wrote to memory of 4752 4312 Isisvideo.exe 88 PID 4312 wrote to memory of 4752 4312 Isisvideo.exe 88 PID 4312 wrote to memory of 4752 4312 Isisvideo.exe 88 PID 4752 wrote to memory of 5068 4752 CMD.exe 90 PID 4752 wrote to memory of 5068 4752 CMD.exe 90 PID 4752 wrote to memory of 5068 4752 CMD.exe 90 PID 5068 wrote to memory of 3632 5068 pokemon.exe 92 PID 5068 wrote to memory of 3632 5068 pokemon.exe 92 PID 5068 wrote to memory of 3632 5068 pokemon.exe 92 PID 5068 wrote to memory of 2188 5068 pokemon.exe 93 PID 5068 wrote to memory of 2188 5068 pokemon.exe 93 PID 5068 wrote to memory of 2188 5068 pokemon.exe 93 PID 5068 wrote to memory of 3360 5068 pokemon.exe 97 PID 5068 wrote to memory of 3360 5068 pokemon.exe 97 PID 5068 wrote to memory of 3360 5068 pokemon.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Isisvideo.exe"C:\Users\Admin\AppData\Local\Temp\Isisvideo.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\CMD.exeCMD /C Copy C:\Users\Admin\AppData\Local\Temp\ISISVI~1.EXE C:\Users\Admin\AppData\Local\Temp\pokemon.exe2⤵PID:3008
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\Temp\pokemon.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\pokemon.exeC:\Users\Admin\AppData\Local\Temp\pokemon.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:3632
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
PID:2188
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\{6L5UX~1\5l9geos5.exe4⤵PID:3360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5e75eef82eba9fb4946d6e9d42abd4fe5
SHA1e1bc20e9648028ceca5a5f27549ac0c13aeb23f4
SHA256edbf9376617abec8a3f8ca5726171917c6c690ca9471f38421cfcaab2e79a467
SHA5120869606a04aac1a46572e1366855cbb711e1bd92950dfb9924fc1cfb17188529e6bf542e9213d20373f86c0628f587efd9891ba8125a6992b61833c189fa5469
-
Filesize
949B
MD58343187481d814c7da0e16fce6d1b508
SHA101e783291376c0cb6dbb465bf05934b1d067c894
SHA2560632548940f934da53205441b68580638d9a93d57412d48c126bd7182a35424e
SHA51298989b8f969b71d855b2abfb23d1f6cfe1f929cd087681ad80015d03a90be9f9d3e1b3cd3bf24a0d9d0af19d32cab3cbe7c566f1d408be965aa19c1af278dc38