Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
Resource
win10v2004-20240226-en
General
-
Target
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
-
Size
12.7MB
-
MD5
8b1b5c712d46a6bc97efd3338817757d
-
SHA1
5f9309bf3f91bf4c6300b56f1337593974d6e3cd
-
SHA256
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f
-
SHA512
66fcbea3cce22dccdffafbaf2b293974d06fe1cee7edea3a077903b8b4b8dcfc10ea891f8752899eeb76d3897b6cbdf31f32138c0e3efde67236ed1a72075398
-
SSDEEP
196608:gXto1bCsgNvDTo+DN3SZdmbuJ1BQNpNWveYQb0ZsL+qCOtYBoaCcFBmPfHpuB:GRNLTLN3SZ8buJwY2YdsNCOzadBm5U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe -
resource yara_rule behavioral1/files/0x0004000000004ed7-88.dat vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe 2808 1E0A0C0B120A156E155A15D0F0D160B0D160D.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2808 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 28 PID 1644 wrote to memory of 2808 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 28 PID 1644 wrote to memory of 2808 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 28 PID 1644 wrote to memory of 2808 1644 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exeC:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.7MB
MD5075aca639797adb4e31f283b4de0ff9e
SHA1150cec1ba5c8763d96f8b1e2b22e5dc0aa1adede
SHA256d6cf2c3101168b34873f56661c425e984b95a46d0944f16e4ed72df17ac1e46b
SHA512a7e418956ad9f885e2b2b3d5b1b2a3e636da24d4c44a14502979f29afd72448ae884e97b0d515e8f476a818a6424beb4a0ce6d03bdd733db79a9315a347861c2
-
Filesize
1.5MB
MD522ec14d2b15f50d872a9befc5fdf4ad4
SHA1f4347c8222b62b152608baeebe54776ad9cde997
SHA256b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA51228a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240