d2371a2d5f4a2a1cbbbdae48a3346b5b00748fe199a32f8b1b04b1d2ece923f8

Analysis

max time kernel
151s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 08:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11f0aea71dff500d3b78393b7ef081d5.exe
Size

907KB
MD5

11f0aea71dff500d3b78393b7ef081d5
SHA1

ab6973498e5dc1691a50bcc031e54bbf6d29d9d4
SHA256

d2371a2d5f4a2a1cbbbdae48a3346b5b00748fe199a32f8b1b04b1d2ece923f8
SHA512

1e3cde2fb96aef25041d506d591776db110223d2e72bc27de17531a4408f6e2ff7abf964076a876d6386425b8cad62a31c9a2d0a968e48b0c991805353d4c7b4
SSDEEP

12288:mOgdNYJxlS/VprefFk0w/YPDPezKK6bosAEi/UluzDrobVIjVDa/ZS1:mOgdNYSts9E/APezP6bKcE4+a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2276	11f0aea71dff500d3b78393b7ef081d5.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	11f0aea71dff500d3b78393b7ef081d5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4052	11f0aea71dff500d3b78393b7ef081d5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4052	11f0aea71dff500d3b78393b7ef081d5.exe
2276	11f0aea71dff500d3b78393b7ef081d5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2276	4052	11f0aea71dff500d3b78393b7ef081d5.exe	92
PID 4052 wrote to memory of 2276	4052	11f0aea71dff500d3b78393b7ef081d5.exe	92
PID 4052 wrote to memory of 2276	4052	11f0aea71dff500d3b78393b7ef081d5.exe	92

C:\Users\Admin\AppData\Local\Temp\11f0aea71dff500d3b78393b7ef081d5.exe
"C:\Users\Admin\AppData\Local\Temp\11f0aea71dff500d3b78393b7ef081d5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\11f0aea71dff500d3b78393b7ef081d5.exe
  C:\Users\Admin\AppData\Local\Temp\11f0aea71dff500d3b78393b7ef081d5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11f0aea71dff500d3b78393b7ef081d5.exe

Filesize
907KB

MD5
d3fc7874ca88aaa39efe0342b20480d8

SHA1
f77ddaa847b91ccdbad176f26ef72743c455c076

SHA256
d567831d26a6c4ba5f631b2066b9dd9efbba4b01f2d6e78b4fb3fe99c9198e16

SHA512
97bdc6b85ae79abd84f6588bc172119bf5bbd2a7fd9ea95c087deee5c8cc6eee790ed6c2b1bbbcb3252f6e0d44417434f3df34aa64fa0e059a6ce880380f7b05

Download Submit
memory/2276-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2276-15-0x0000000001720000-0x0000000001808000-memory.dmp

Filesize
928KB

Download
memory/2276-20-0x00000000050A0000-0x000000000515B000-memory.dmp

Filesize
748KB

Download
memory/2276-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2276-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/4052-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4052-1-0x0000000001740000-0x0000000001828000-memory.dmp

Filesize
928KB

Download
memory/4052-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4052-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download