Analysis
-
max time kernel
40s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:17
Behavioral task
behavioral1
Sample
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
Resource
win10v2004-20240508-en
General
-
Target
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
-
Size
12.7MB
-
MD5
cfc16729b84ad37c7c60de351e5ba2b1
-
SHA1
318853b20b42e6fd2fe648f2163580a0663078f4
-
SHA256
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511
-
SHA512
dc8d099e6852ca1e88be48bbbc5c369af756202257ec70dae8e825d4e92c4c2003b18ff90b5b5ee53b1d11d74e28a7be6fee7f4633781f3d97458e99f3c966d0
-
SSDEEP
196608:VXto1bCsgNvDTo+DN3SZdmbuJ1BQNpNWveYQb0ZsL+qCOtYBoaCcFBmPfHpuB:NRNLTLN3SZ8buJwY2YdsNCOzadBm5U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe -
Loads dropped DLL 1 IoCs
pid Process 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe -
resource yara_rule behavioral2/memory/4764-11-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral2/memory/4764-12-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral2/memory/4764-30-0x0000000000400000-0x0000000002111000-memory.dmp vmprotect behavioral2/files/0x0007000000023405-32.dat vmprotect behavioral2/memory/4744-37-0x0000000073B00000-0x0000000073E2D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe 4744 1E0A0A0B120C156B155E15F0D0E160F0E160F.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4744 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 81 PID 4764 wrote to memory of 4744 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 81 PID 4764 wrote to memory of 4744 4764 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exeC:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4744
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.7MB
MD57d4c68203073898e59c1f60d3506bee0
SHA1d59ebbc985a569f92f79d9496f7bddb1d35f6885
SHA2566fd5db61455d99800b2eccd8b1176fa9809207c3c50d1f42da5146806909b4fd
SHA512ee931d036fa644ae2918acf8186feab3698eac49f0f44059cc2b4f987113a2f1ccd1a51189d2ba6ddead7059ad673225fdd8d665317c1d85a861b42261f576d0
-
Filesize
1.5MB
MD522ec14d2b15f50d872a9befc5fdf4ad4
SHA1f4347c8222b62b152608baeebe54776ad9cde997
SHA256b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA51228a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240