Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 01:22
Behavioral task
behavioral1
Sample
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
Resource
win10v2004-20240709-en
General
-
Target
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
-
Size
70.0MB
-
MD5
9384fc87b1b8950dae046d3429248017
-
SHA1
f9e1a45fc09d11d40fba13b4060856b3bcc89e39
-
SHA256
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c
-
SHA512
8b47c006c8ce9f90d8a46e1707993477520cabb814b734b52b87256c84e106c0a0e615d1e3c9bb38dfb01e8de56e542944270a90be68318e77660dbc338f3f34
-
SSDEEP
24576:Q9Hs4MROxnF95bYmfFhQhrZlI0AilFEvxHiDJ:IH/MiKhrZlI0AilFEvxHi
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.execsc.exedescription pid Process procid_target PID 1948 wrote to memory of 2220 1948 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe 31 PID 1948 wrote to memory of 2220 1948 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe 31 PID 1948 wrote to memory of 2220 1948 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe 31 PID 2220 wrote to memory of 3068 2220 csc.exe 33 PID 2220 wrote to memory of 3068 2220 csc.exe 33 PID 2220 wrote to memory of 3068 2220 csc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe"C:\Users\Admin\AppData\Local\Temp\116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eldquoef.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF059.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF058.tmp"3⤵PID:3068
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5734fa65649330184410f59b137e372fb
SHA18650996440db60b44a6baf232c1ccb7101dcef00
SHA25616b3963a55158b29ee78c253523ebf02db7b900a242d9413654ed8631c67924f
SHA51275aa9782e1dd9601b2868ec4f1f9e603d6401518bc02c9a9a4491b29f84066e3ed0cfe7991cc78ddd3382e148e490e8856c0b0e1856d4899abd1d74283bedd66
-
Filesize
76KB
MD50218bcdd9df01c5033f3e20f1186af91
SHA1d719c61edfabfcb1126357fdd8c44313341fd275
SHA256386ad906981d4c07f9d65431cc14fda6f2ca00649962e4cd0169bf4c383b694e
SHA5120c9f1c9cc4771f1f3abe93d64f536375192c9b0434c88034d9f853f4203840952cf4d350afec98cced5a74ad012eeeb01ae36689a26e71a43c9dde1bfbf192cc
-
Filesize
676B
MD5fbbb8fe777f28809743b576d071ae7d4
SHA1ce7a343e0ce5ba005bdaea0e2b47a2329a0f52fc
SHA25663bcd23b5d819055028dbf66ab53f2d2640c9bb2c01a464c40fd0aa49ae5f09b
SHA512fbc6d3793f0606c6eb0f5befdc9ed3bc20ccfe466d09f51c17114dcf567c00cc33873c1a7897745a01d14eed53e91e56cef77a8e7dc8b2454d7f9fbaaed3dc4e
-
Filesize
208KB
MD5ae9d1820c72e6206914c6e29b07ec1c0
SHA16775546592d520b0d790fca20533b40a4f5cd92e
SHA256671d92456fc1222b99ab300cece5ab8c642fac2ec0ed171da18850f1321d376c
SHA512d1c0e30a26a6f60b45263b15f7b167d9cf4b09d3008340e10289a23ae8f8b62b6b55153f30cdfa8471e6579cff3882101f203c889655c67d8d48a70f37c81e23
-
Filesize
349B
MD5885ef6065682fe2d6e0c1af170abca98
SHA1464011c7a0ebdcb947dbf94efa49a97415b00151
SHA256a25f71eba625d5486b48162c8815e9a09a24dac124cbc9542a405fabc84cc05b
SHA512b7b272fe4033e0691cbfd83d22cd1d5cf122e19fcf388d8870532b6700b210de2a2f2fcd0f84dcd0ae2df7ab2840e1f1f9ec57b302574c6617bb39c0f907c13a