Overview

overview

5

Static

static

3

artifact.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    13s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    artifact.exe

  • Size

    5.8MB

  • MD5

    b34832a7f3afd72e6c12bdf9d873c8da

  • SHA1

    fbeca3d9eff1bcc51b01a9f8c4f6e9bbe9256f49

  • SHA256

    cb107e6cc802da3127dd5c0cf2b5fc334284473e0d01499b829e821ff57a39e7

  • SHA512

    6931ee8c8d04e66443311e2133b6a3186f78be794ca407beea93df2840168818517def2c8272cafcde33ba051b676af10a69be238c81aba8f1946bd3f92c0b31

  • SSDEEP

    98304:vnqJy0HVvs0ncHmLrfXyDoxMxCjCMudoFyBb6bskVAjCVAGdmuL6yd+fTVBX:fMySxXckrmox3jCddoFyJ6btO2VAGvJC

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\artifact.exe
    "C:\Users\Admin\AppData\Local\Temp\artifact.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\artifact.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\artifact.exe" MD5
        3⤵
          PID:3152
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:1992
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2464
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo You need to run the KeyAuthApp.init(); function before any other KeyAuth functions && timeout /t 5"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\system32\cmd.exe
              cmd /C "color b && title Error && echo You need to run the KeyAuthApp.init(); function before any other KeyAuth functions && timeout /t 5"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4232
              • C:\Windows\system32\timeout.exe
                timeout /t 5
                4⤵
                • Delays execution with timeout.exe
                PID:4220

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2112-0-0x000000014010A000-0x0000000140549000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2112-1-0x0000000140000000-0x0000000140B21000-memory.dmp

          Filesize

          11.1MB

          Download

        • memory/2112-2-0x00007FF8887D0000-0x00007FF8887D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2112-3-0x00007FF8887E0000-0x00007FF8887E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2112-4-0x0000000140000000-0x0000000140B21000-memory.dmp

          Filesize

          11.1MB

          Download

        • memory/2112-8-0x000000014010A000-0x0000000140549000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2112-9-0x0000000140000000-0x0000000140B21000-memory.dmp

          Filesize

          11.1MB

          Download