Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 16:00
Behavioral task
behavioral1
Sample
$R3NK09Y.exe
Resource
win7-20240508-en
General
-
Target
$R3NK09Y.exe
-
Size
16.4MB
-
MD5
c9cde10ef15429feeb2177a12b8ecd9b
-
SHA1
a77ab463eef7ff052fef80452d66bba49ee1ef1c
-
SHA256
e7e356483dbdb34e2b69f22cd6e10d6b31bcd43c24f5724010e683656e16933d
-
SHA512
d9c99be64909b61f15a2af370d58d1e5f727dec58aa6c694efce842d1575e0877d22cab93619572899a6be2aada5578c820896d98dff1c5ec67c7ce8f436a17e
-
SSDEEP
196608:FgL9HLAlndpb7KX/Rdarz60/460ii8kB6yTNJm3AqM+KCKW4nZQobtxoYByzKX93:cxAlndYX5UrzR8BRT/m3pqCgzNNxu87
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2484 $R3NK09Y.exe -
resource yara_rule behavioral1/files/0x00050000000193ee-102.dat upx -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2484 1904 $R3NK09Y.exe 28 PID 1904 wrote to memory of 2484 1904 $R3NK09Y.exe 28 PID 1904 wrote to memory of 2484 1904 $R3NK09Y.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"2⤵
- Loads dropped DLL
PID:2484
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2828
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD59757d49b0665074358f3ab977e0ff907
SHA17d220a33737266ac73cc674c80217810f63238ee
SHA2566d2a781b8ecacb9044b5617e89f2cbd65bd21791a96d1fc4ece1dabc4fa47024
SHA5124a94c756f0b9a610ee5e6f6530ccbad180c81ba015d3d23c51486d6d129d654d464cdcd1b7ff6ce68ac6e8578e7121343bbd88e7900bb8fa685fe091e75690ca