931df68a3f44da8f929394030702d8e0d4d90f0eb5208764a6e46a9dc7fd1981

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7efd06088d1d2adf81b2257ddb7df144.exe
Size

385KB
MD5

7efd06088d1d2adf81b2257ddb7df144
SHA1

915e83ed3b04bf8cb2498aee964bb006deef845d
SHA256

931df68a3f44da8f929394030702d8e0d4d90f0eb5208764a6e46a9dc7fd1981
SHA512

73fea575c50b9a3d94512dc7ce8199e16493a559ae411b969788ae97e4c096afe0094b031da0f1276334cfa3d5c80de0d8485d330cc775ba67f0defd0f12adf4
SSDEEP

6144:DTuT1oVyHkbWvEnDhuD6BVDDT8wtrRg7P8wYPn+ztVKL/ui9AjhHIXm7LgAW8CFW:DqkyTvuQ2BFtGww5yz9AjhogaFa7xB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1088	7efd06088d1d2adf81b2257ddb7df144.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	7efd06088d1d2adf81b2257ddb7df144.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3704	7efd06088d1d2adf81b2257ddb7df144.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3704	7efd06088d1d2adf81b2257ddb7df144.exe
1088	7efd06088d1d2adf81b2257ddb7df144.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 1088	3704	7efd06088d1d2adf81b2257ddb7df144.exe	89
PID 3704 wrote to memory of 1088	3704	7efd06088d1d2adf81b2257ddb7df144.exe	89
PID 3704 wrote to memory of 1088	3704	7efd06088d1d2adf81b2257ddb7df144.exe	89

C:\Users\Admin\AppData\Local\Temp\7efd06088d1d2adf81b2257ddb7df144.exe
"C:\Users\Admin\AppData\Local\Temp\7efd06088d1d2adf81b2257ddb7df144.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\7efd06088d1d2adf81b2257ddb7df144.exe
  C:\Users\Admin\AppData\Local\Temp\7efd06088d1d2adf81b2257ddb7df144.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7efd06088d1d2adf81b2257ddb7df144.exe

Filesize
385KB

MD5
efda19d66e9fdedd85d85feff5047429

SHA1
f66ba943446d77c7d16938efd297a6cf6de09bd1

SHA256
17c36f2754ea8f1994f173e018211e3860654167abe11a7a1e3457fcfe9b8786

SHA512
6b4cb727095025612a2152d445d2590ad5fe5345e156ba13d6ae32ef8a3ffff7441de910b38f3711d1b5c9aa9bf96d669eb8bcbcd6735acaac1a9a37f07516ce

Download Submit
memory/1088-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1088-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1088-20-0x0000000004F10000-0x0000000004F6F000-memory.dmp

Filesize
380KB

Download
memory/1088-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1088-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1088-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3704-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3704-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3704-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3704-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download