6f7aa061f0cee099e31ff855d8c8b24154b96ebeb5aff86b6992297fdefc38a3

Analysis

max time kernel
93s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

081e83bb759d494e6f25dc602776012a.exe
Size

385KB
MD5

081e83bb759d494e6f25dc602776012a
SHA1

33bc8f731c414fd2ca3fcac61c08fd7e31f32040
SHA256

6f7aa061f0cee099e31ff855d8c8b24154b96ebeb5aff86b6992297fdefc38a3
SHA512

3a94a0f420c60a6d67ae046c365d762d0caca62783f5dd44c31de60ea91f2c2c2f5399471b7e9d979b700eaa878701477b2ee4dfc74ecbc1d4884dfe600d4b6c
SSDEEP

12288:2qJ50E8dSSEG9wpYeo1bhMN3uO3majy+a5shwIz7HYXgPJzcvz72cSFmD7sGkSGr:9JuEPSEG9wp7ghMN3B3majyF5shwIz7T

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1088	081e83bb759d494e6f25dc602776012a.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	081e83bb759d494e6f25dc602776012a.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	081e83bb759d494e6f25dc602776012a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	081e83bb759d494e6f25dc602776012a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2224	081e83bb759d494e6f25dc602776012a.exe
1088	081e83bb759d494e6f25dc602776012a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1088	2224	081e83bb759d494e6f25dc602776012a.exe	31
PID 2224 wrote to memory of 1088	2224	081e83bb759d494e6f25dc602776012a.exe	31
PID 2224 wrote to memory of 1088	2224	081e83bb759d494e6f25dc602776012a.exe	31
PID 2224 wrote to memory of 1088	2224	081e83bb759d494e6f25dc602776012a.exe	31

C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
"C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
  C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe

Filesize
109KB

MD5
d1bf7f87571252c69b9456b4325ab708

SHA1
3a216e20576130a5e17172766ddd3550a2c19e92

SHA256
0e660095983e0b80969b631f4e801f228fd5b8b5ac61b2f40e3f7409fbe0b4c9

SHA512
ea25dcae663910cd95ad6d8de48b76bf850e3dae8d4305c75c2ab1451e2faa4e957cdc4931340f2c97364277c4a65bb8f3e0522012d255c83f3b3efaee62a96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0F9.tmp

Filesize
29KB

MD5
3e35b86e5efc59f18f9c4f8b3f4b43a3

SHA1
54d826cb1b2c2f94e751b0ed412e08f0eee5be77

SHA256
928df466ec2bb5af27a166b0e7cd979e2ebfd5f456e9345795e34ed5bcba2a41

SHA512
dfd92ad4b222933369e5d02249952320a560e35ff645c4c868c3a809276af7ee9d2331da842b98bc66de487a08455debea814ad88c08d81c899b1674c584ec63

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB13B.tmp

Filesize
25KB

MD5
b5004c41c0afd9284289f1ff653f0297

SHA1
71ab7a9c22770eaf4a5792420916baa1347446ef

SHA256
fa2f7e17d61c1cab2a2295296be5563572df3d541a5796b38b5450955e04644c

SHA512
8df4b6e320906c769bfcffde9244c0fbd5342599bdee12c16138918462f634b6a5ad784e70c7632c77efa4de5b3fec852f52d89653645113cc981800da309473

Download Submit
\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe

Filesize
77KB

MD5
4868b0c2b9c2a51a6a5d2cdb0a48dbcd

SHA1
87adca8649d5e1182ef7a5ec15283e53b5bf61fc

SHA256
41c0171a371ad0432888177f9fd26384a2ff19bfbcb6b947a1d09022f9c48558

SHA512
a0cc34fc64b0b53a461c3db7f0920cc5b8a6b810d0a9dab5cdfba003ba4315fda1d788f4ec599a4b01d323301217e01ad51d70dfad8472f27ed732917ede899b

Download Submit
memory/1088-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1088-19-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/1088-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-27-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/1088-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1088-83-0x000000000E6D0000-0x000000000E70C000-memory.dmp

Filesize
240KB

Download
memory/1088-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2224-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2224-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2224-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2224-2-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2224-15-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download