086278fa114e89d40b904a2e712eb3664b6a6ac3b7860a1ae908e0766f8f9023

Analysis

max time kernel
94s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025daaecc3765a067eb68dec9e7b3cde.exe
Size

771KB
MD5

025daaecc3765a067eb68dec9e7b3cde
SHA1

40d025e9c8915cd2333e7c943b46596a9c94ac04
SHA256

086278fa114e89d40b904a2e712eb3664b6a6ac3b7860a1ae908e0766f8f9023
SHA512

24b11c45712a4cd0bbf072c22f9336ac295dd69635af5e118d9a43751f95e2eb55ba9b9587b5e359d687ddfe30beafae6530e5204b0bebb8f1ff765dceab4693
SSDEEP

12288:xeNt19Ihj8qS05+y+2oolJY06ACQr5FveEXY5BTb10VHmDXTuFaa2AtyGTKOF25g:+xlmo4zBXWtb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1976	025daaecc3765a067eb68dec9e7b3cde.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	025daaecc3765a067eb68dec9e7b3cde.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
224	025daaecc3765a067eb68dec9e7b3cde.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
224	025daaecc3765a067eb68dec9e7b3cde.exe
1976	025daaecc3765a067eb68dec9e7b3cde.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1976	224	025daaecc3765a067eb68dec9e7b3cde.exe	19
PID 224 wrote to memory of 1976	224	025daaecc3765a067eb68dec9e7b3cde.exe	19
PID 224 wrote to memory of 1976	224	025daaecc3765a067eb68dec9e7b3cde.exe	19

C:\Users\Admin\AppData\Local\Temp\025daaecc3765a067eb68dec9e7b3cde.exe
"C:\Users\Admin\AppData\Local\Temp\025daaecc3765a067eb68dec9e7b3cde.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\025daaecc3765a067eb68dec9e7b3cde.exe
  C:\Users\Admin\AppData\Local\Temp\025daaecc3765a067eb68dec9e7b3cde.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\025daaecc3765a067eb68dec9e7b3cde.exe

Filesize
27KB

MD5
95927cdb11dccc6fe948de280e1fca38

SHA1
c7c9d02bef7625fa7d6ec9472b396a5a4437ba6e

SHA256
a9a9b79572107334538a5046d09ed12d43f1bf569ad372c02eb800025cf53a60

SHA512
049811c965e4c2918258aa637311c010f5140a0cd7a1654d5403fe78d23f36c64b973502f25ff08c5fa41b04a8adb488d56de84874ecf421bf5961b8f093f140

Download Submit
memory/224-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/224-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/224-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/224-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1976-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-15-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1976-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-22-0x0000000004EF0000-0x0000000004F4F000-memory.dmp

Filesize
380KB

Download
memory/1976-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1976-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1976-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download