accb3a4a93d260cb167ebea88920f4a57c1164808e744b9e156a5b35f835b096

Analysis

max time kernel
147s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100f5e90a9eb220b32e50b778c57c2dd.exe
Size

771KB
MD5

100f5e90a9eb220b32e50b778c57c2dd
SHA1

b9d9c78e2b747f6fc869af1cfe41c0cddd74265e
SHA256

accb3a4a93d260cb167ebea88920f4a57c1164808e744b9e156a5b35f835b096
SHA512

d1af51a5e7ec2b200ba43a5d764f5658da4fbe9a7046c6d01e41e0ae40ed03245babaa8f4833af5c03aaecba218fc2385aa77c616bdedd9bc3f3899b8cc92ba9
SSDEEP

12288:w18myemDer514dJ0+Fpg5F9FK9vWb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8B/:mNyDSr514H65aOb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3304	100f5e90a9eb220b32e50b778c57c2dd.exe

Executes dropped EXE 1 IoCs

pid	Process
3304	100f5e90a9eb220b32e50b778c57c2dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4160	100f5e90a9eb220b32e50b778c57c2dd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4160	100f5e90a9eb220b32e50b778c57c2dd.exe
3304	100f5e90a9eb220b32e50b778c57c2dd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3304	4160	100f5e90a9eb220b32e50b778c57c2dd.exe	20
PID 4160 wrote to memory of 3304	4160	100f5e90a9eb220b32e50b778c57c2dd.exe	20
PID 4160 wrote to memory of 3304	4160	100f5e90a9eb220b32e50b778c57c2dd.exe	20

C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
"C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
  C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe

Filesize
37KB

MD5
2470630a280b703285bb661d9c8b51b0

SHA1
1ab5c52eb3ee1a9c6e97d95934cadf33c6e19f1c

SHA256
606fba8d32c5dba7941e625a25e60c0d46c8768ddf7fd4cb92f54d60e5102abb

SHA512
d090c88515d532baa8216cc2a4eda32a1748e45285c51c33e81e873b8dbaa95e2ad97bc5b912e4d1e87ca02f036c65d74a575806af8b35ede3035a5d64dbdec4

Download Submit
memory/3304-15-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3304-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3304-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/3304-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3304-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3304-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3304-36-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/4160-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4160-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4160-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4160-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download