506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9

Analysis

max time kernel
145s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 08:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe
Size

69.7MB
MD5

c74ac8e2372d7ffbf59df8e5d50f81cf
SHA1

095e3ef202ed82c48a07899b5b876ed2963b8228
SHA256

506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9
SHA512

c6472e1e3431b09b544139527df18ba5bc555b340bbc777429f2e70cfd65783a2dc96aca0dc7884670cd404463d646b85e9d0dd50aa1e7050281dacee603b16c
SSDEEP

1572864:VhKa+R1aXgAHrQpGD+TYRakyjFTzjTxBvds69rEe:VD+pGCTYm5TPTxhds6R

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp

Loads dropped DLL 12 IoCs

pid	Process
2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28
PID 2212 wrote to memory of 2632	2212	506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe	28

C:\Users\Admin\AppData\Local\Temp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe
"C:\Users\Admin\AppData\Local\Temp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\is-0P5FM.tmp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0P5FM.tmp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp" /SL5="$7011E,72059904,900608,C:\Users\Admin\AppData\Local\Temp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0P5FM.tmp\506a508b6a6f236185fd9c2689f548c7085948ceb0e99cc8d5c7c2b81bbe80f9.tmp

Filesize
3.1MB

MD5
fac8132caa0cb6c2d3e39cbd998f06fb

SHA1
a4b39e7e47d241016e344bf480af553738304358

SHA256
7bf4f7e44c6ca207555034b4c869c638d8cc6b198a46a4875f4c64f2877c77d8

SHA512
dc3e236c769032eeefc688f921ad08681f91ed9eb700f463a6a7e6281696823d7aad074fa1970ce176133a8d23ca1957d54d9cf3e19f4ad98d04d5c7ac65b023

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\dlmgr.dll

Filesize
194KB

MD5
c41a84ead571651d3f54472e2534b590

SHA1
e476e6bc8d3940bf8b84a9b3fe606136387c9cf6

SHA256
da9fb4b2bdec84d4b6ee6602666b55d762a0f925863b97ba9f4134e26e5be370

SHA512
a5029489ade04efea880fbde25f338f686a1ae2a35c5e5101968393c3932c9af48b374d0ff6e37551a359248c1105327c4cf5776c062135e0d52a176ed1e3b09

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\dvssyshelper.dll

Filesize
471KB

MD5
6cbb8dd7c6d931a0aa47684ba70501f6

SHA1
9079a507c330585743f599924cdeadfda9a6e1a2

SHA256
f3b4f343049a363b0f0055580f7091d43a89dcbffeec1cb7b65df2c2bf7bd3c4

SHA512
85c33b2a527c1d5311745dc47afa1b3a5e5d99f460407134b69bd420a747e4c9cbbfe8fe7517d7c494c42a9bf2f9efca78939c9d5d41092ff1f9b049938e5c7d

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\jansson.dll

Filesize
51KB

MD5
bd85ae31f57e240dd145a0b1b3a23d1d

SHA1
c24a6fc4296c9b0f60d4cc32769306892b4bee0d

SHA256
e80bb21d45ff59da6cb22b0fb63267e025be3b11f89006661d077d852fb0a110

SHA512
02abf4fb5f445728994c11854e85e9a37faaf7c8d69f8dad31198bd4402df85935debfc4261f45cf42388440e58be74a477310a9c2126c35ea2e9609674f1d7a

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\libcrypto-1_1.dll

Filesize
2.4MB

MD5
d525d6132163a1ccc8bba68892452a64

SHA1
9f1fbbafb940cd7fce729e3948041d506b226c26

SHA256
375639ffb9efdbc5d978d020be5867c3e6fe29cff9ce54be3e584d262673569f

SHA512
366e58246ac7e750770a2ffd18f82d64049eae17246227d92e37876392c5b22a35c62cdd3ac4b437fbcf51bae83751ff07c97201bca48e861f65bd0a8755e839

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\libcurl.dll

Filesize
320KB

MD5
d5e314b1856826ed2c729996718dde82

SHA1
5442c7d1b33fe561f12332e4accc9991d9600da0

SHA256
a3e8dfa038824da6f56aad2921b12f383e318e1dbdfad603d8df16ebc5a02ad2

SHA512
55b9e1b2eaa984aeff32a798ceef1762880bfef862c25dbb7174de64f7b3e8f6e4c0167291d47840c35dc3d12dcc49aae03612815890bb5c8262461a430ebd1f

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\libssl-1_1.dll

Filesize
533KB

MD5
3503885267b930c992cf2fbe028c3b4b

SHA1
b82d0a36168b306336227b7677d45d842d932199

SHA256
ba5084c0c44317d42fcdb2fd76ce07b73c5048b66f932242945095c5e2e2668b

SHA512
a4b68c4bd0dcc1732e0b7e109c4bbb37709309460896a8a992cf4ae26e9f957e1a28f1a446565ff3c712d0a46daf2ede6d39b03a9c86d5bad7dd403bb83ea0ab

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\msvcp140.dll

Filesize
427KB

MD5
3a207bdfaa989abab1cf5f7e86555b87

SHA1
b5df7c111591c9cf719260fcf0769322927f23f8

SHA256
9e9b340bba6d47fb15cde3b9d0568c6d296e3299eca0dfcd2bf000637b36fe13

SHA512
9341b5083a9f1470a2f6834d0440b04346da7f4a1b050741c3acc32af730daa567ddcd15d699b7918b7a3a83b5bc45c5514872100d820d63deb8a9b17633e54f

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\tier0.dll

Filesize
142KB

MD5
db894e877aa91484ec5b7075f6dfde2a

SHA1
779f09729789a86f5efd3e010c8cf59ad004e12f

SHA256
b318fb7d1cc6763c0c21684a3949b46a9316045afaa3bb6959f37678cf661f1b

SHA512
27cd3509cbcdae17c2c292ea900fd71a7dec762a3b6d9a65e9b6e5c791cd2e661a71ef5979044f094cb22b29d65e085732dfbf3ad69916e4d19e19e0f209d6b7

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\unihelp.dll

Filesize
100KB

MD5
2e279ffcc1de9027cebc97511ec4e3fa

SHA1
31732b05b4c02d9d0f5f8be8a0984900bc46be25

SHA256
915205ab28fdd2e0b5677976425b68918ea141e4ea3ddfc3dad8025d6390da64

SHA512
305e5a1a1e4f8545f368c72ee73515b3bb22e7a458b0e40e0f353b13959fedeadaa01f4fd05efee9554f6def66867d1696042463105bba146626543623d337ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\vcruntime140.dll

Filesize
75KB

MD5
30f437cc4598570e7cc661f8131daf2e

SHA1
1549c04d7babf58b71a243ce5e7ec308494ca818

SHA256
b48dc53977477f13ca80e7aa002d23a127b53515c0a45fe82c2a87f35450d1d0

SHA512
30f21fd5f884d47a46796024ceffb5ef426bbad4c81e1a5fcefe408db5af4739ddc76b18c3937b73000d288440ef886136ef96fc09611c924b20128272cb1539

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1CGC.tmp\zlib.dll

Filesize
82KB

MD5
42ead533d902c09ac7c6b78eaafbc76b

SHA1
7ee55d69b5176b440448ef92188eb8c8c47eaf5d

SHA256
bd33974eacf309cdcd0bc081286fe777d95f7a97f0bfca873a4255427eac7ea1

SHA512
67e12c8560c22c7c073d2e4cb42840ab5c8909be3f651b7bfa681ea3161bb83ba1eadb8c7671fef0e45b02c3ca1a5f8b6fb2f636d50a30e0c9b523bf21426e27

Download Submit
memory/2212-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2212-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2212-61-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2632-8-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2632-62-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download