134cad294e688453e8a8c55c889ec347bdfb8cd25908b0681d77ab27a402ef9f

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0702a9a5a0f890b3c81caebe9816f56f.exe
Size

385KB
MD5

0702a9a5a0f890b3c81caebe9816f56f
SHA1

f098e4d4fe228a34812c8f212e4fd67c2ad8e266
SHA256

134cad294e688453e8a8c55c889ec347bdfb8cd25908b0681d77ab27a402ef9f
SHA512

ec31b69d854222b1d62929b84e350f36f48c3e6a2c0a0cb73596ff4521a9be278faae26888fc770f7cac675daced823f8a14eb0eca877f6427ac795773f82d8c
SSDEEP

12288:aKmx6cCscQhyg14oTdn9D4VYTYVHKh8cB:aKmx6DKhd14oTdyVYcVHKh8cB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1104	0702a9a5a0f890b3c81caebe9816f56f.exe

Executes dropped EXE 1 IoCs

pid	Process
1104	0702a9a5a0f890b3c81caebe9816f56f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3092	0702a9a5a0f890b3c81caebe9816f56f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3092	0702a9a5a0f890b3c81caebe9816f56f.exe
1104	0702a9a5a0f890b3c81caebe9816f56f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1104	3092	0702a9a5a0f890b3c81caebe9816f56f.exe	18
PID 3092 wrote to memory of 1104	3092	0702a9a5a0f890b3c81caebe9816f56f.exe	18
PID 3092 wrote to memory of 1104	3092	0702a9a5a0f890b3c81caebe9816f56f.exe	18

C:\Users\Admin\AppData\Local\Temp\0702a9a5a0f890b3c81caebe9816f56f.exe
"C:\Users\Admin\AppData\Local\Temp\0702a9a5a0f890b3c81caebe9816f56f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\0702a9a5a0f890b3c81caebe9816f56f.exe
  C:\Users\Admin\AppData\Local\Temp\0702a9a5a0f890b3c81caebe9816f56f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0702a9a5a0f890b3c81caebe9816f56f.exe

Filesize
92KB

MD5
ab8ce58260b2f48c805a60bae8b8f30e

SHA1
a12ac74683d44846b33f71a4d5b8839e249b39c2

SHA256
5c4486bfc6dcf420aeab4f729d57d5a12b1c90c4f086f13086ac12ff90641d7a

SHA512
bcee65229f0ee7132e0eea800460b119d24819c526f65195144e847cb39d096d78d95b1f9ba672b7f13b4e3c5dd1df22509979940ea18b0a770a9e66d4bfe420

Download Submit
memory/1104-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1104-21-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/1104-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1104-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1104-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1104-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1104-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3092-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3092-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3092-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3092-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download