25ae3c6adceacac69fe19f844964ac9b9eb6d534b806c2072eb60a6e06828a70

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08fbd0b2ad4cc097568a3e335038b148.exe
Size

771KB
MD5

08fbd0b2ad4cc097568a3e335038b148
SHA1

84db00013c0b619523b120c61a204ef0cf1600c3
SHA256

25ae3c6adceacac69fe19f844964ac9b9eb6d534b806c2072eb60a6e06828a70
SHA512

c38c0f5f6b0c98ebd92fd6bdcb5a48360f0dcdd6329949ce11b0cb692367500190cf8edad82686961c6cdf11c2b7e17c7497baab0ac915f0bbd9c5dc2448a99d
SSDEEP

12288:vd8eX4WNZDmeGFVlLmjakbizuazzF+b10VHmDXTuFaa2AtyGTKOF25ZoJJyhRgeG:l8q7qB0RHU+b10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4924	08fbd0b2ad4cc097568a3e335038b148.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	08fbd0b2ad4cc097568a3e335038b148.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2176	08fbd0b2ad4cc097568a3e335038b148.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2176	08fbd0b2ad4cc097568a3e335038b148.exe
4924	08fbd0b2ad4cc097568a3e335038b148.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4924	2176	08fbd0b2ad4cc097568a3e335038b148.exe	20
PID 2176 wrote to memory of 4924	2176	08fbd0b2ad4cc097568a3e335038b148.exe	20
PID 2176 wrote to memory of 4924	2176	08fbd0b2ad4cc097568a3e335038b148.exe	20

C:\Users\Admin\AppData\Local\Temp\08fbd0b2ad4cc097568a3e335038b148.exe
"C:\Users\Admin\AppData\Local\Temp\08fbd0b2ad4cc097568a3e335038b148.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\08fbd0b2ad4cc097568a3e335038b148.exe
  C:\Users\Admin\AppData\Local\Temp\08fbd0b2ad4cc097568a3e335038b148.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2176-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2176-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2176-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4924-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-19-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/4924-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4924-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4924-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4924-37-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download