Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-05-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
ErikGlorious_crypted_EASY.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
ErikGlorious_crypted_EASY.exe
Resource
win11-20240508-en
General
-
Target
ErikGlorious_crypted_EASY.exe
-
Size
394KB
-
MD5
f758008b7884936d9b2a89d14c317b18
-
SHA1
336c1e0d7ad5d58dbb4184710ed399af4494afde
-
SHA256
341e941ba420f41c4d5887b2f5f19084bd0dc7addf3e3c694f79ebea2fcad370
-
SHA512
133d8d0443f94efd806555c57607d88a0c419f508333f827dd856e1829f58c70efcd6a7df2421ca0fbff1a582feec820210e4dff757dacd24c91f01ba3b65a1e
-
SSDEEP
12288:NF0ceA3g4vjEgKVpBfquOciBeGJr804EpkHeBOVOXRE0NxLFRHMA5X7UUghFx7X0:NJwojIVpxAci
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
ErikGlorious_crypted_EASY.exepid process 3016 ErikGlorious_crypted_EASY.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ErikGlorious_crypted_EASY.exedescription pid process target process PID 3016 set thread context of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ErikGlorious_crypted_EASY.exedescription pid process target process PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe PID 3016 wrote to memory of 1968 3016 ErikGlorious_crypted_EASY.exe aspnet_regiis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ErikGlorious_crypted_EASY.exe"C:\Users\Admin\AppData\Local\Temp\ErikGlorious_crypted_EASY.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵PID:1968
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD5be271ff6a2ef27c8e8206400281366a6
SHA1c84ce338321d94eb53f2a73c8ef76702ddc1e0d1
SHA256af8734ac99fc5e32ab090ee1a4003383ceb14c8c076879ce6933cda3389f73ee
SHA51204d96e3b1f23aef43f5ea3e6637173a80e1db63b5de16346d3e9ae84b6e440810021d04c134b445cc3d0c59a78251986f9c9ec6e203e6395052442aa2cb3d44b