Overview
overview
7Static
static
3Release.zip
windows7-x64
1Release.zip
windows10-2004-x64
7Setup.txt
windows7-x64
1Setup.txt
windows10-2004-x64
1emu/878321.exe
windows7-x64
1emu/878321.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1index.html
windows7-x64
3index.html
windows10-2004-x64
3loader3.exe
windows7-x64
1loader3.exe
windows10-2004-x64
1Analysis
-
max time kernel
96s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Release.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Release.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Setup.txt
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Setup.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
emu/878321.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
emu/878321.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
index.html
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
index.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
loader3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
loader3.exe
Resource
win10v2004-20241007-en
General
-
Target
loader3.exe
-
Size
2.0MB
-
MD5
c1afc5729255d68bf6f7ac02e43935dc
-
SHA1
ca62f75238efa0daf3521e2df1a44fc6a7784315
-
SHA256
6cdb812daba9157f3c51ebdda2b38268f32c7ca4048e7c4364c5b354a32a0ba0
-
SHA512
476a301a51893a79c1916ab9f45c0d45c89e8b3e81bf8108c6ac305fc602be2c720ad6cc88393b300824895d30add2454afbe4d7e1a282510e0430f4973f9fe0
-
SSDEEP
24576:Gu3Gf0zS31XOG9mqgTlA4ZgW4u+T3NT8eQnwuGKFh8fd6ellpC+bKlANc06OO:Gr8O3cGUqqGtZIdnV39GT1
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
pid Process 3588 timeout.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 468 wrote to memory of 3436 468 loader3.exe 84 PID 468 wrote to memory of 3436 468 loader3.exe 84 PID 3436 wrote to memory of 3612 3436 cmd.exe 85 PID 3436 wrote to memory of 3612 3436 cmd.exe 85 PID 3436 wrote to memory of 5092 3436 cmd.exe 86 PID 3436 wrote to memory of 5092 3436 cmd.exe 86 PID 3436 wrote to memory of 3728 3436 cmd.exe 87 PID 3436 wrote to memory of 3728 3436 cmd.exe 87 PID 468 wrote to memory of 4944 468 loader3.exe 92 PID 468 wrote to memory of 4944 468 loader3.exe 92 PID 4944 wrote to memory of 5052 4944 cmd.exe 93 PID 4944 wrote to memory of 5052 4944 cmd.exe 93 PID 5052 wrote to memory of 3588 5052 cmd.exe 97 PID 5052 wrote to memory of 3588 5052 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader3.exe"C:\Users\Admin\AppData\Local\Temp\loader3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader3.exe" MD53⤵PID:3612
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:5092
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't connect to server && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Couldn't connect to server && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:3588
-
-
-