Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 01:22
Behavioral task
behavioral1
Sample
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
Resource
win10v2004-20240709-en
General
-
Target
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe
-
Size
70.0MB
-
MD5
9384fc87b1b8950dae046d3429248017
-
SHA1
f9e1a45fc09d11d40fba13b4060856b3bcc89e39
-
SHA256
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c
-
SHA512
8b47c006c8ce9f90d8a46e1707993477520cabb814b734b52b87256c84e106c0a0e615d1e3c9bb38dfb01e8de56e542944270a90be68318e77660dbc338f3f34
-
SSDEEP
24576:Q9Hs4MROxnF95bYmfFhQhrZlI0AilFEvxHiDJ:IH/MiKhrZlI0AilFEvxHi
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
Processes:
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe File created C:\Windows\assembly\Desktop.ini 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe -
Drops file in Windows directory 3 IoCs
Processes:
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exedescription ioc Process File opened for modification C:\Windows\assembly 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe File created C:\Windows\assembly\Desktop.ini 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe File opened for modification C:\Windows\assembly\Desktop.ini 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.execsc.exedescription pid Process procid_target PID 3232 wrote to memory of 4012 3232 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe 87 PID 3232 wrote to memory of 4012 3232 116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe 87 PID 4012 wrote to memory of 5028 4012 csc.exe 89 PID 4012 wrote to memory of 5028 4012 csc.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe"C:\Users\Admin\AppData\Local\Temp\116ffac45f9bd4ba42fcd8910c4fc3fa7502eccf957e7712f8d39dd4903df26c.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fizlmglt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA401.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA400.tmp"3⤵PID:5028
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5640700c8455075fdf9c87bc262599c34
SHA16fc38048c9fe3c4fe0f0223d4c66474e6667a5f4
SHA25651da1d629553abcdb59184af0eb347fc5d8ca0eb0411026f2d2bdd01c86e298f
SHA5121e196ec09df9899586eb80c698049e8eff69a15d1d06581905620d100a8e003545ce8ddaf101dc621c1404096a260185023196cd6a7bf09bfb8b58b620562f15
-
Filesize
76KB
MD56f6fb3e1f9fd621217c240d5bbcc3034
SHA1a25e8fc1d488b0ae9c38b517c084429d43c4f7d1
SHA256689e7047dfc555ebacb2ef6902c0b97621fe45a0e9fb142718a430f958cf4be0
SHA5123996fa5fb369c866a9b88bd934d330748974661add3b98df93b930885952f25e69be854639320ddc326971a0c18cc12b907b1081d54047f353ec11eb7639092c
-
Filesize
676B
MD57c1cb68e127e2d4094ce04a8d6a2d965
SHA1aadef8918c42ecdd08d0297255cb390ec88862d6
SHA2564d5f37cac4a159cbaf5c85fcfcead16d843c1a855db4fc826276ef2b19929a23
SHA51278e5351386d1404a1d9ec46e4afd60579bfef0dd9292eea08879325466ff565529ce16acb242d9ef79e7938fe918551f6bcabbd8c79867c7757f7755f0836447
-
Filesize
208KB
MD5d2f835edc893e31d68d71de27be5cd01
SHA1b3b3e814f19dbf91ba0e8740bf23da43a474406c
SHA256e1bb35ba40ce554ccfeedc5f227e7f68c631616e415240eba8d637380f7b0afb
SHA5120939f3e6d9723c59eef248086d7ce13751cf9b8c30f8b21aa37ba97ae2989644bb5c2840f13e224c104ab493c35a8de4a1450cac35d0ad21a17cd1518fa50b9a
-
Filesize
349B
MD5f79a45d75b1b8fed7d57f7118082a28f
SHA1141dbed55ba57b81ec3120a2b1c7ba8f871f8b79
SHA256b3f8f7f8be6be5753311ec09941969279a6490b5a8a719e36b996b0cceea479a
SHA512fbc0b296577ef8af20d2c17bf73e48d599e57daf2bda0d40ffc1ec12dd69223c51cb25dd4871cc6fc69c419afe3c369b6e4e585338dc88b8ceffd82fbde8dac8