Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
Resource
win10v2004-20240226-en
General
-
Target
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe
-
Size
12.7MB
-
MD5
8b1b5c712d46a6bc97efd3338817757d
-
SHA1
5f9309bf3f91bf4c6300b56f1337593974d6e3cd
-
SHA256
c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f
-
SHA512
66fcbea3cce22dccdffafbaf2b293974d06fe1cee7edea3a077903b8b4b8dcfc10ea891f8752899eeb76d3897b6cbdf31f32138c0e3efde67236ed1a72075398
-
SSDEEP
196608:gXto1bCsgNvDTo+DN3SZdmbuJ1BQNpNWveYQb0ZsL+qCOtYBoaCcFBmPfHpuB:GRNLTLN3SZ8buJwY2YdsNCOzadBm5U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe -
Loads dropped DLL 1 IoCs
pid Process 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe -
resource yara_rule behavioral2/files/0x000300000000070d-33.dat vmprotect behavioral2/memory/3536-37-0x0000000073450000-0x000000007377D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe 3536 1F0E0E0F120A156A155B15E0B0B160A0C160C.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3536 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 91 PID 2260 wrote to memory of 3536 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 91 PID 2260 wrote to memory of 3536 2260 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exeC:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:948
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.7MB
MD5fc621d4a96b1f5a78d1572425e781341
SHA19eda2e7aac28052a66dc3a8ebc553257d3560af1
SHA2562a4a270b899fee6e524bae68b3c02353cb5c5a8a197c7ebada9c1390d10e8d70
SHA51269b6cbc331bb100da5eff918860df5bd01adcd146c2f98fbc36352f715835ee7c4c8751350fa3743c557df75177f8c696ed58ccf287a675fb0eeeff46b4f58d4
-
Filesize
1.5MB
MD522ec14d2b15f50d872a9befc5fdf4ad4
SHA1f4347c8222b62b152608baeebe54776ad9cde997
SHA256b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA51228a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240