86855ad177c326f3049ea9ac4d7b1a8cd8afd1b72910ee8075a7b2c7c09d9ab5

Analysis

max time kernel
133s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03599d25c11e4090d0e19863ad6f9408.exe
Size

385KB
MD5

03599d25c11e4090d0e19863ad6f9408
SHA1

29f1bbfea0fc01b4720e4e7f0acecf2b4827bc57
SHA256

86855ad177c326f3049ea9ac4d7b1a8cd8afd1b72910ee8075a7b2c7c09d9ab5
SHA512

8e0962478e64fcdffbe014a19d2fd91f2fd1f65f630bde74712f6147d5b7f51d3cf52ce06333599a5d74a4d564ba05f16d023124d4340eebb7e4967a9b59790d
SSDEEP

12288:nI0Hz7k2+9IOtYR4hSLBjzypVkSLoq6hsOU0wKQB:nIUzI2+9IO2n1jzypOSLd6hsuwKQB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	03599d25c11e4090d0e19863ad6f9408.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	03599d25c11e4090d0e19863ad6f9408.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
344	03599d25c11e4090d0e19863ad6f9408.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
344	03599d25c11e4090d0e19863ad6f9408.exe
2264	03599d25c11e4090d0e19863ad6f9408.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2264	344	03599d25c11e4090d0e19863ad6f9408.exe	92
PID 344 wrote to memory of 2264	344	03599d25c11e4090d0e19863ad6f9408.exe	92
PID 344 wrote to memory of 2264	344	03599d25c11e4090d0e19863ad6f9408.exe	92

C:\Users\Admin\AppData\Local\Temp\03599d25c11e4090d0e19863ad6f9408.exe
"C:\Users\Admin\AppData\Local\Temp\03599d25c11e4090d0e19863ad6f9408.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Local\Temp\03599d25c11e4090d0e19863ad6f9408.exe
  C:\Users\Admin\AppData\Local\Temp\03599d25c11e4090d0e19863ad6f9408.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03599d25c11e4090d0e19863ad6f9408.exe

Filesize
385KB

MD5
e1a0a1fed5de891d4b4d868462af42e6

SHA1
e55ed38ddfc722936bfea85c1c50ca7172611131

SHA256
2cd2810ddbdc0b8345ab1592a5fabe0de0af9217183c3e9eebfbf372290c4cd8

SHA512
5cc3526a45c3be79cec6d3e83c0fbe26b9107e9340ec97d9b9d349463ae6471b0ac84fdd9e195d94c7b98f0e1709e6d67ec9844005ca5e839ba9f83d5713e6ba

Download Submit
memory/344-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/344-1-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/344-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/344-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2264-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2264-14-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/2264-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/2264-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2264-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2264-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download