Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 13:16
Static task
static1
Behavioral task
behavioral1
Sample
v55.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
v55.exe
Resource
win10v2004-20240508-en
General
-
Target
v55.exe
-
Size
12.3MB
-
MD5
3db8c1ee14aa746c099481bdb31d36c5
-
SHA1
ae94f11a184b2e55f1612f9b9901378fcd65e505
-
SHA256
c932c8185582e062ff5c2bee4ac8fe390539325d0a432c91dba5a617cc8e9ebc
-
SHA512
28de48ae12776662a0e458754cf3be00d9b31528ae66af30ea187959ee068cbe62693d9fa7c23309fdc15487d1e25801e05f37b561a0038f61988ab22a20fdcc
-
SSDEEP
393216:ByKRk9incp/qc8zCInj0WkJbMUWWlQ845bzS:BpR/nc8c8zCYYJwDb
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2860 Built.exe 2608 Built.exe 2788 v5.exe 1180 Process not Found -
Loads dropped DLL 5 IoCs
pid Process 1860 v55.exe 2860 Built.exe 2608 Built.exe 1860 v55.exe 2732 Process not Found -
resource yara_rule behavioral1/files/0x0006000000014d0f-29.dat upx behavioral1/memory/2608-32-0x000007FEF64B0000-0x000007FEF6AA2000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x003100000001313a-34.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2860 1860 v55.exe 28 PID 1860 wrote to memory of 2860 1860 v55.exe 28 PID 1860 wrote to memory of 2860 1860 v55.exe 28 PID 1860 wrote to memory of 2860 1860 v55.exe 28 PID 2860 wrote to memory of 2608 2860 Built.exe 29 PID 2860 wrote to memory of 2608 2860 Built.exe 29 PID 2860 wrote to memory of 2608 2860 Built.exe 29 PID 1860 wrote to memory of 2788 1860 v55.exe 30 PID 1860 wrote to memory of 2788 1860 v55.exe 30 PID 1860 wrote to memory of 2788 1860 v55.exe 30 PID 1860 wrote to memory of 2788 1860 v55.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\v55.exe"C:\Users\Admin\AppData\Local\Temp\v55.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\v5.exe"C:\Users\Admin\AppData\Local\Temp\v5.exe"2⤵
- Executes dropped EXE
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5ccdbd8027f165575a66245f8e9d140de
SHA1d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311
-
Filesize
7.4MB
MD52c628deb80a8e0564ab2880b28e18af1
SHA1733f8d93a98fb60ce981de24deb7928fc2848e8d
SHA256b1b3013a32c2d73a5144e0371065a91d04b8a3b227eaf3de75bf41078d903188
SHA5128d75e415a11863bee4763b572729d8090a63fa9487550b45a28ba2723cb410735a5cf7e9dc5a3cf857bb0bddb3e7775cca018b4df2d78e77c2e5477fb3509054
-
Filesize
4.9MB
MD5a34c14e2f897e79948a262f029151e10
SHA127b9a47659398040f467d991775dd7d3113e962b
SHA25640a7ceacbb6126a54eee26b10b2f66246c27c3891810998139367019286f6a63
SHA51205bf31cd249416035e670ae7c473a7219a021a3aa87502ac52ead33804688731117a9eebfe1e7e53a85f02fe0a072e02707a4b4d94eaef090fe13cd741191812