011d709cf87be1257ec14c8abf0c7fafa5f5e6a31010dca83f8383b2b6a0538f

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038b27dbb9d818606c5696391f800819.exe
Size

385KB
MD5

038b27dbb9d818606c5696391f800819
SHA1

4dc1f5ef2adc59da932aeed248c527f93fd03725
SHA256

011d709cf87be1257ec14c8abf0c7fafa5f5e6a31010dca83f8383b2b6a0538f
SHA512

d1118d7b9de11f03d346437e36fec537db13c6e93ee4e19ee9f1aa7e8f572de90f62d1f52b39b46e97d1cc6e4c6cdc2e7d7eb0da8d7385514f3d7b349b2c0ceb
SSDEEP

6144:9KkDPPRy6Zk2uN1dZvvcqAkyuFLBjCMy5c3RO5ERTOPENBWVkqzxCj6pfyqxB:9KkrpF5uN1A5uFyMQQOc2kSxCcfPB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3944	038b27dbb9d818606c5696391f800819.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	038b27dbb9d818606c5696391f800819.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2064	038b27dbb9d818606c5696391f800819.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2064	038b27dbb9d818606c5696391f800819.exe
3944	038b27dbb9d818606c5696391f800819.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3944	2064	038b27dbb9d818606c5696391f800819.exe	76
PID 2064 wrote to memory of 3944	2064	038b27dbb9d818606c5696391f800819.exe	76
PID 2064 wrote to memory of 3944	2064	038b27dbb9d818606c5696391f800819.exe	76

C:\Users\Admin\AppData\Local\Temp\038b27dbb9d818606c5696391f800819.exe
"C:\Users\Admin\AppData\Local\Temp\038b27dbb9d818606c5696391f800819.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\038b27dbb9d818606c5696391f800819.exe
  C:\Users\Admin\AppData\Local\Temp\038b27dbb9d818606c5696391f800819.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\038b27dbb9d818606c5696391f800819.exe

Filesize
95KB

MD5
47283d42ef0727ad5daeaeed343addbb

SHA1
dc802239221471cea1c8e1f8eabeba9fb59f6d43

SHA256
973bbb2da5a5087946d433d3805b2bbe37d5cb4dedea50cc0281dce571522818

SHA512
5df87aa75680fb61b4c00dd46991208773f4a8623fbf1d9bd53cd0e2dd47b490a1c9450d0702a1fa16d98b040924b7503977c4da8487f9830339fa565f8bc65d

Download Submit
memory/2064-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2064-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2064-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2064-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-20-0x0000000004F40000-0x0000000004F9F000-memory.dmp

Filesize
380KB

Download
memory/3944-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3944-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3944-36-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3944-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download