Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 01:05
Behavioral task
behavioral1
Sample
29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe
Resource
win10v2004-20240709-en
General
-
Target
29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe
-
Size
5.0MB
-
MD5
b49a2bf6b7e1f66880eb1f370266955a
-
SHA1
a7e0eb86e23b971c504be4a786c40f127f7398ff
-
SHA256
29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb
-
SHA512
b9aee1f61e201e620582ba44750aeb034483a92239f096035bc92c6009112ae378de2d4338ebc0c195b53ad2f18c8c31186797a476ef9a1e41aca61af8990800
-
SSDEEP
24576:i9Hs4MROxnF95bYmfFhQYrZlI0AilFEvxHi3e:qH/MiKYrZlI0AilFEvxHi
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.execsc.exedescription pid Process procid_target PID 2880 wrote to memory of 2948 2880 29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe 31 PID 2880 wrote to memory of 2948 2880 29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe 31 PID 2880 wrote to memory of 2948 2880 29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe 31 PID 2948 wrote to memory of 1928 2948 csc.exe 33 PID 2948 wrote to memory of 1928 2948 csc.exe 33 PID 2948 wrote to memory of 1928 2948 csc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe"C:\Users\Admin\AppData\Local\Temp\29fbbdb392bbbd33f9b905d37868e9d379e0f3eea0777939c42d9e2877f250bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ik6jjnxt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDB13.tmp"3⤵PID:1928
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d7d61e30957ef968c9b4e6770dabf91
SHA1229d02885fd567d23643ca1231e51a0e6bb1b9e5
SHA25673ba0c897a78c193d84ff6636a858ae5b019c030b7d6e5dc91b9e85ec623f7fb
SHA5122ff99d83ea4f208bfa4059bb645c56e888d04bfd1addeb24100b72a0f63468e4beb48da32fc0d995a92227326af441fbcce2bb5f57e21b3945efbc6cba647fcb
-
Filesize
76KB
MD57ac38c6c5aff83087164b7790a15727f
SHA1f3b7ca7787fb9ec065796934c6f7a69be0164725
SHA256d2284f34a90759f1799b2157ec8899776f685e39809246bb34c4b8414cec8a83
SHA512b03e4a4a42b19b5cbf08d173eeb758dd4db8f277584e6b254d2325a0438fcde6d80b1985fe8e470c41b3b589fc9b163723db5339ab36c78fbb7c92ffebb55ad8
-
Filesize
676B
MD5807273c22b5afc800f9b9d46bdad818e
SHA174b90c0fccff9eecc1b2e7f4f07738c3eec557d9
SHA256eef31e44dbf2e9b66a8886db17418e78fd6d2d217f4a1e4e3138adc847e94d58
SHA512f68690e4e1c650845389babb94ad3fb361663df598bd7eca0d0775158cde5e7a8aaf3da12a3c00c7e19b879ec2deca3128c3fb54c118a29e5ded522e853d10f1
-
Filesize
208KB
MD5250321226bbc2a616d91e1c82cb4ab2b
SHA17cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1
-
Filesize
349B
MD5d453b122a0a7809fcce071904876158d
SHA1f9ba21901f398606a78f4f98afd8ba124b16b642
SHA2562f3a5f11bad34bf05b344c040dcc8eee40c36587911cf46ceb5a01ad7dfa171e
SHA5129db8778fabb1ed3809b49750cb8d857c4201eb1426d0a98ade3091beb803636b575b77c6c55049faa73eed066666d1f185fc4ff661b67c10de4cb2f60115fdf0