Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:11
Behavioral task
behavioral1
Sample
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe
Resource
win10v2004-20240709-en
General
-
Target
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe
-
Size
87KB
-
MD5
3d9ea9e6b52fee2a7b762e8de8957e15
-
SHA1
9ba4e63407c75f873aea5b1a480697319644a58c
-
SHA256
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c
-
SHA512
5f2013edb4d96ae1caaa4cac4dcc0fc0ffdbfb62d392e8a87d7d079cd31c5694a87bdccec5967a45dfada7516c08fd6b82300d18be49a56eb4b79fa14c7f0727
-
SSDEEP
1536:zeIb/GntmGcF7LVBReqx+476rVdQdpaUjmHo21yYD3H6rFgY893sLBqAOgShVKkH:zec/LGcFVsKdpaUi7yYDX6zJS9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yaxkodila.exepid process 1876 yaxkodila.exe -
Loads dropped DLL 1 IoCs
Processes:
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exepid process 2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe -
Processes:
resource yara_rule behavioral1/memory/2548-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2548-6-0x0000000000400000-0x0000000000427000-memory.dmp upx \Users\Admin\AppData\Local\Temp\yaxkodila.exe upx behavioral1/memory/1876-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1876-11-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exedescription pid process target process PID 2548 wrote to memory of 1876 2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe yaxkodila.exe PID 2548 wrote to memory of 1876 2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe yaxkodila.exe PID 2548 wrote to memory of 1876 2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe yaxkodila.exe PID 2548 wrote to memory of 1876 2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe yaxkodila.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe"C:\Users\Admin\AppData\Local\Temp\35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\yaxkodila.exeC:\Users\Admin\AppData\Local\Temp\yaxkodila.exe2⤵
- Executes dropped EXE
PID:1876
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5caa381b913bfb5f68581fca4470b3186
SHA1cfc2dfef5afa425d6765cb11add1665b5a2bd017
SHA256c547787bc2c639de3bf724ddb43fe3612e42f21421d0375b587ff25426c69df7
SHA5126f4fa228ae87e2ec606e4145962b8a894e692e88c64306fbd2334d09e0c87aff3843fe3fc10127b1acb10a6436b0532141598aa56d79979485c0eefb73ddf589