Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:17
Behavioral task
behavioral1
Sample
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
Resource
win10v2004-20240508-en
General
-
Target
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
-
Size
12.7MB
-
MD5
cfc16729b84ad37c7c60de351e5ba2b1
-
SHA1
318853b20b42e6fd2fe648f2163580a0663078f4
-
SHA256
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511
-
SHA512
dc8d099e6852ca1e88be48bbbc5c369af756202257ec70dae8e825d4e92c4c2003b18ff90b5b5ee53b1d11d74e28a7be6fee7f4633781f3d97458e99f3c966d0
-
SSDEEP
196608:VXto1bCsgNvDTo+DN3SZdmbuJ1BQNpNWveYQb0ZsL+qCOtYBoaCcFBmPfHpuB:NRNLTLN3SZ8buJwY2YdsNCOzadBm5U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe -
resource yara_rule behavioral1/memory/2928-35-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral1/memory/2928-39-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral1/memory/2928-40-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral1/memory/2928-86-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral1/files/0x0004000000004ed7-88.dat vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe 2460 1A0B0B0B120C156F155E15D0A0E160A0E160A.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2460 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 28 PID 2928 wrote to memory of 2460 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 28 PID 2928 wrote to memory of 2460 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 28 PID 2928 wrote to memory of 2460 2928 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exeC:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.7MB
MD5d1e2e748ba78e4c436446cbf36076c8b
SHA16d263a24bd30f46fb1a97e1ea312359b3c364cc3
SHA2564b2b52e82a6415c8c6a22cf67ed26b37a07c0934386a8d712397b6e5b699773a
SHA512fafdfaabec86cad43c76234baa76ea8ebd3cd9d588a28d0ab7b598af8b4089ec488a4e3f111139c8327080023c4f2f537f4261e014dd96b2331e0b3bfb7abc6b
-
Filesize
1.5MB
MD522ec14d2b15f50d872a9befc5fdf4ad4
SHA1f4347c8222b62b152608baeebe54776ad9cde997
SHA256b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA51228a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240