8cbb999d6466520ded868cb9c201c025edb8f9f8a73cb6fa25f0a7270c435a65

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0916d5aa6110437935974c7f7777283c.exe
Size

907KB
MD5

0916d5aa6110437935974c7f7777283c
SHA1

16add22251259c8676e87f06ec749628d51358b8
SHA256

8cbb999d6466520ded868cb9c201c025edb8f9f8a73cb6fa25f0a7270c435a65
SHA512

7e6d3ce5873e892518852a77b40b84111cc3255175c27c589ea69256d8f8a1c34fced7fc1488cdfd4640600e535b716633873f1d59f56a64b38f137ab4ae68a8
SSDEEP

24576:SbIRrV42Im6TCZFjZYV17UuXFjuahwB5Za/ZS1:kIL42ImsCZFjZW7UuXBuQwBvgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5084	0916d5aa6110437935974c7f7777283c.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	0916d5aa6110437935974c7f7777283c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4604	0916d5aa6110437935974c7f7777283c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4604	0916d5aa6110437935974c7f7777283c.exe
5084	0916d5aa6110437935974c7f7777283c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 5084	4604	0916d5aa6110437935974c7f7777283c.exe	88
PID 4604 wrote to memory of 5084	4604	0916d5aa6110437935974c7f7777283c.exe	88
PID 4604 wrote to memory of 5084	4604	0916d5aa6110437935974c7f7777283c.exe	88

C:\Users\Admin\AppData\Local\Temp\0916d5aa6110437935974c7f7777283c.exe
"C:\Users\Admin\AppData\Local\Temp\0916d5aa6110437935974c7f7777283c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\0916d5aa6110437935974c7f7777283c.exe
  C:\Users\Admin\AppData\Local\Temp\0916d5aa6110437935974c7f7777283c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0916d5aa6110437935974c7f7777283c.exe

Filesize
907KB

MD5
056bec65d290544eb6901d0a2e604cb4

SHA1
356d12552d66478d0875d72b3f7de580298f5927

SHA256
39f49d7f704e35393d978af24d4d73cc16a7a7a3ff0ff3f83b70943b5e89420f

SHA512
39aa62b6de7f49a50d7dd7a3c66f02bb381e2929711bd404ae527b04152c5ea967a966061bb2bf184842727447ed3c0e6182ff1268f785af51c68281a33ba509

Download Submit
memory/4604-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4604-1-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/4604-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4604-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5084-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5084-14-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/5084-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/5084-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5084-31-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download
memory/5084-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download