6f7aa061f0cee099e31ff855d8c8b24154b96ebeb5aff86b6992297fdefc38a3

Analysis

max time kernel
92s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

081e83bb759d494e6f25dc602776012a.exe
Size

385KB
MD5

081e83bb759d494e6f25dc602776012a
SHA1

33bc8f731c414fd2ca3fcac61c08fd7e31f32040
SHA256

6f7aa061f0cee099e31ff855d8c8b24154b96ebeb5aff86b6992297fdefc38a3
SHA512

3a94a0f420c60a6d67ae046c365d762d0caca62783f5dd44c31de60ea91f2c2c2f5399471b7e9d979b700eaa878701477b2ee4dfc74ecbc1d4884dfe600d4b6c
SSDEEP

12288:2qJ50E8dSSEG9wpYeo1bhMN3uO3majy+a5shwIz7HYXgPJzcvz72cSFmD7sGkSGr:9JuEPSEG9wp7ghMN3B3majyF5shwIz7T

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	081e83bb759d494e6f25dc602776012a.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	081e83bb759d494e6f25dc602776012a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
216	081e83bb759d494e6f25dc602776012a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
216	081e83bb759d494e6f25dc602776012a.exe
1900	081e83bb759d494e6f25dc602776012a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 1900	216	081e83bb759d494e6f25dc602776012a.exe	88
PID 216 wrote to memory of 1900	216	081e83bb759d494e6f25dc602776012a.exe	88
PID 216 wrote to memory of 1900	216	081e83bb759d494e6f25dc602776012a.exe	88

C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
"C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
  C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\081e83bb759d494e6f25dc602776012a.exe

Filesize
385KB

MD5
05598fc21219026429faec5da7601b17

SHA1
47be41f796516e2cf1cc4842bbb51e684ef516ae

SHA256
c9495e6997dcca271ffc9cd1935569e8385e74331a89a6867bd033fb294f66b6

SHA512
19673c5453ab2790a0895c9ccf12627c19b6987b8648940348adb546bcadf7bce751ce5574cfa0ae4a09d16506c4368019b07cb8077ce60d8a8665b0495b06a5

Download Submit
memory/216-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/216-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/216-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/216-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1900-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1900-16-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/1900-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/1900-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1900-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1900-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download