54297d59ed4cd61f68f6efe987d14bf8e3993eb98c6a459d96c34b2f6b038661

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0970f0b9276d9192d9c8b166ba574fb6.exe
Size

771KB
MD5

0970f0b9276d9192d9c8b166ba574fb6
SHA1

c3136ac4f8959d10920d9a30a3cb7d0a5a4c9ac9
SHA256

54297d59ed4cd61f68f6efe987d14bf8e3993eb98c6a459d96c34b2f6b038661
SHA512

32979e2b8fe242edf910ccf566502e989fd1d24c885c9064aee3a1dc4d877fcaa0c6035a342eea35384416458ac3d4517f83eddbbcf09a97c711ac14ae7a382d
SSDEEP

12288:F80L6E3gfcu7t7An54NwPk3U7jymb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8B/:FL3O7t7Anxbjjb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4064	0970f0b9276d9192d9c8b166ba574fb6.exe

Executes dropped EXE 1 IoCs

pid	Process
4064	0970f0b9276d9192d9c8b166ba574fb6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4440	0970f0b9276d9192d9c8b166ba574fb6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4440	0970f0b9276d9192d9c8b166ba574fb6.exe
4064	0970f0b9276d9192d9c8b166ba574fb6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4064	4440	0970f0b9276d9192d9c8b166ba574fb6.exe	18
PID 4440 wrote to memory of 4064	4440	0970f0b9276d9192d9c8b166ba574fb6.exe	18
PID 4440 wrote to memory of 4064	4440	0970f0b9276d9192d9c8b166ba574fb6.exe	18

C:\Users\Admin\AppData\Local\Temp\0970f0b9276d9192d9c8b166ba574fb6.exe
"C:\Users\Admin\AppData\Local\Temp\0970f0b9276d9192d9c8b166ba574fb6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\0970f0b9276d9192d9c8b166ba574fb6.exe
  C:\Users\Admin\AppData\Local\Temp\0970f0b9276d9192d9c8b166ba574fb6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0970f0b9276d9192d9c8b166ba574fb6.exe

Filesize
93KB

MD5
8a2defc27eb17498e33cfc6a45831077

SHA1
91f6e5c0e24e530a618b5e3592ef20612bfd75b1

SHA256
8f4cafbf3d09fa11bd20ee99368cd18d1a79a6fb93ad3b6444258372fa24bf88

SHA512
7eaf011d78721c9619792cbe6492fdc3e06fa708c2bd05192ce9221a1d5642df34443559d72f1848bae52261f6df71f341d83e6660778e3bc24df3b6ea120f95

Download Submit
memory/4064-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-19-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/4064-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4064-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4064-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4064-36-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/4440-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4440-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4440-1-0x0000000001630000-0x0000000001696000-memory.dmp

Filesize
408KB

Download
memory/4440-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download