8231e648ad2337e5be2ecfab8f96fcc6744745d71a25cab29fcf309ae6034f84

Analysis

max time kernel
91s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b44add068c3b07cb8e83c5c72caee98.exe
Size

385KB
MD5

3b44add068c3b07cb8e83c5c72caee98
SHA1

26f2641ae8766da1b82f40652ca660423fdf4ea6
SHA256

8231e648ad2337e5be2ecfab8f96fcc6744745d71a25cab29fcf309ae6034f84
SHA512

0891b9d860b79f40e28554e8cc0bc3fb97b1bff784a3448b50aa88c69f535268dc453bdd39e815858a15cf4ee2b07fc40cc7627a0cbe9ab29103dc1becdcc1a8
SSDEEP

12288:44v8g2uk9aU/Wj6fNPUJ+H6BGjkFT1ZPIQbf42Br1NVVdnFGyoJ4DoHx3r9rkbaQ:kLv2T0zCBrrYCD0sB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1380	3b44add068c3b07cb8e83c5c72caee98.exe

Executes dropped EXE 1 IoCs

pid	Process
1380	3b44add068c3b07cb8e83c5c72caee98.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3880	3b44add068c3b07cb8e83c5c72caee98.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3880	3b44add068c3b07cb8e83c5c72caee98.exe
1380	3b44add068c3b07cb8e83c5c72caee98.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1380	3880	3b44add068c3b07cb8e83c5c72caee98.exe	20
PID 3880 wrote to memory of 1380	3880	3b44add068c3b07cb8e83c5c72caee98.exe	20
PID 3880 wrote to memory of 1380	3880	3b44add068c3b07cb8e83c5c72caee98.exe	20

C:\Users\Admin\AppData\Local\Temp\3b44add068c3b07cb8e83c5c72caee98.exe
"C:\Users\Admin\AppData\Local\Temp\3b44add068c3b07cb8e83c5c72caee98.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\3b44add068c3b07cb8e83c5c72caee98.exe
  C:\Users\Admin\AppData\Local\Temp\3b44add068c3b07cb8e83c5c72caee98.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b44add068c3b07cb8e83c5c72caee98.exe

Filesize
1KB

MD5
aba7da13b1e054a93de14f94467645ed

SHA1
d443ff8fa4b8406b358e67f02b18801b67b9d119

SHA256
d51fa5ed6adafecbebffebddd7f50ddb42beec8a3485153445a2caec9a79035e

SHA512
fa31469398a6ba324f1aa31f018cb1530cebef4191471886b75f858a0ac544c17d5667ee528cb83f32be88d237962959820557176721a2ef74b2bf37383c8a9d

Download Submit
memory/1380-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1380-14-0x0000000001630000-0x0000000001696000-memory.dmp

Filesize
408KB

Download
memory/1380-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1380-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1380-33-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1380-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3880-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3880-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3880-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3880-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download