f42d2f4249de916692005a3d3d8feb57d0dd5e4dcbc908697b25935476c9717d

Analysis

max time kernel
149s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0135a7b86d570a54c1907f53eb76bcac.exe
Size

385KB
MD5

0135a7b86d570a54c1907f53eb76bcac
SHA1

213748ea8e78f6566f8d82adda44a0787b384a48
SHA256

f42d2f4249de916692005a3d3d8feb57d0dd5e4dcbc908697b25935476c9717d
SHA512

c0620658e887972b532182c794c1424d75aacc5ffa91d225154c71b7f12418eaa65bf757cff9b880c59dd49c92ba60d81fc53e542d1124b14115ac8a1249f5db
SSDEEP

12288:S6wylQKsLKJJAdnDRWoG3SllL7kNCtWTPB:VwylQCohG3slLRaB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1876	0135a7b86d570a54c1907f53eb76bcac.exe

Executes dropped EXE 1 IoCs

pid	Process
1876	0135a7b86d570a54c1907f53eb76bcac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1628	0135a7b86d570a54c1907f53eb76bcac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1628	0135a7b86d570a54c1907f53eb76bcac.exe
1876	0135a7b86d570a54c1907f53eb76bcac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1876	1628	0135a7b86d570a54c1907f53eb76bcac.exe	89
PID 1628 wrote to memory of 1876	1628	0135a7b86d570a54c1907f53eb76bcac.exe	89
PID 1628 wrote to memory of 1876	1628	0135a7b86d570a54c1907f53eb76bcac.exe	89

C:\Users\Admin\AppData\Local\Temp\0135a7b86d570a54c1907f53eb76bcac.exe
"C:\Users\Admin\AppData\Local\Temp\0135a7b86d570a54c1907f53eb76bcac.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\0135a7b86d570a54c1907f53eb76bcac.exe
  C:\Users\Admin\AppData\Local\Temp\0135a7b86d570a54c1907f53eb76bcac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0135a7b86d570a54c1907f53eb76bcac.exe

Filesize
362KB

MD5
3fd17be2e2631c2b4c63885bb0b3ac87

SHA1
5f08b33e7fee7c02667a4a097a5f1abb4fc4714d

SHA256
c8cc7b930eec0c9b8b17ddf836442b268c49b7835c5b362aa49170173c7438b3

SHA512
4f2751aea48e7521ff11e31484595cf6f0186ca486cb490b957438fd81ce73c6df76f4a2c0d848385fc2b6ea3ccc94f308fa01471733bed84033c71312cf7ad0

Download Submit
memory/1628-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1628-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1628-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1876-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1876-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1876-20-0x0000000001640000-0x000000000169F000-memory.dmp

Filesize
380KB

Download
memory/1876-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1876-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1876-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download