Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
AppGitHub/App.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
AppGitHub/App.exe
Resource
win10v2004-20240709-en
General
-
Target
AppGitHub/App.exe
-
Size
24.2MB
-
MD5
e9375068b29318e25281d4fa36b2bf31
-
SHA1
bbf93b5d9aa19293df332caf8866e5ad9b871787
-
SHA256
964ed02573d0cf5741deda31cd7051e15d491a39aa610c5362e244832cc104bc
-
SHA512
37dfb04705b74b9d5e09f7082c5da42b724d02e594ea215aa857f64b2a9009ed525992d5e29891a0a55427a355a72e4505ed61b15e733648ee83c39474417009
-
SSDEEP
98304:IXG4ks4BPCuS3tqRi1jg7AEb/lp+LRpPoTP29Fc6clyzl/pdlOXwIJbYSTK460fs:MJHXhVTWNDu1ka2IUi+bBV3tE+EDaW6
Malware Config
Extracted
Protocol: ftp- Host:
94.156.8.173 - Port:
21 - Username:
anonymous - Password:
anonymous@
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4688 update.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4688 set thread context of 32 4688 update.exe 92 -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4408 wrote to memory of 1928 4408 App.exe 88 PID 4408 wrote to memory of 1928 4408 App.exe 88 PID 1928 wrote to memory of 4688 1928 cmd.exe 90 PID 1928 wrote to memory of 4688 1928 cmd.exe 90 PID 1928 wrote to memory of 4688 1928 cmd.exe 90 PID 4688 wrote to memory of 452 4688 update.exe 91 PID 4688 wrote to memory of 452 4688 update.exe 91 PID 4688 wrote to memory of 452 4688 update.exe 91 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92 PID 4688 wrote to memory of 32 4688 update.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\AppGitHub\App.exe"C:\Users\Admin\AppData\Local\Temp\AppGitHub\App.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpy8ucgmus\update.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\tmpy8ucgmus\update.exeC:\Users\Admin\AppData\Local\Temp\tmpy8ucgmus\update.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:32
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
950KB
MD50ef9fa7e80197f4f860e2874e1066c2e
SHA1856bd2bac73a39ac20864f90dc94484c35b17e0e
SHA256a3755d2a59b820a235bc610c4852946f90590c00d2053595f0040f6339dc300e
SHA5122285e82c879eb239777338b352e2d97023c00ff26797aece4ee0fc5f3155b0159acd1a1808cfefa9e0064c1a7ed17a205545486c2d14495a23de6508c08533cb