fd0eb62914c40c982367337f70d5db473ce1c97d8b6e73877e32dc54c807098c

Analysis

max time kernel
2s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bce22f41ffb7b71ab1dad6621c92e08.exe
Size

385KB
MD5

0bce22f41ffb7b71ab1dad6621c92e08
SHA1

c11f52179009ac592ccc1c797d4ec22fcdbe8b39
SHA256

fd0eb62914c40c982367337f70d5db473ce1c97d8b6e73877e32dc54c807098c
SHA512

8803760653fd197f413ced20fd76c0165ff13085cb4833dc9050af5ba95369d07f2c0c68d780b3b6ae80c0df308e24f97ac8ee79635bed0b9cd0c41b63877e48
SSDEEP

12288:4yTfByCzY5VWgCMPDheSuSSPjB271VadSjqB/B:4kfP2vJhhXejB27TadSmtB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	0bce22f41ffb7b71ab1dad6621c92e08.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	0bce22f41ffb7b71ab1dad6621c92e08.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	0bce22f41ffb7b71ab1dad6621c92e08.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2160	0bce22f41ffb7b71ab1dad6621c92e08.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2160	0bce22f41ffb7b71ab1dad6621c92e08.exe
2748	0bce22f41ffb7b71ab1dad6621c92e08.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2748	2160	0bce22f41ffb7b71ab1dad6621c92e08.exe	17
PID 2160 wrote to memory of 2748	2160	0bce22f41ffb7b71ab1dad6621c92e08.exe	17
PID 2160 wrote to memory of 2748	2160	0bce22f41ffb7b71ab1dad6621c92e08.exe	17
PID 2160 wrote to memory of 2748	2160	0bce22f41ffb7b71ab1dad6621c92e08.exe	17

C:\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe
"C:\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe
  C:\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe

Filesize
1KB

MD5
efbad176cbac6d4805cc08851d8d540b

SHA1
618c2008357a30e9e0b0f63dfc669e9f37dd4a09

SHA256
889f5c4bdb23c2fbbe4f7454e60e60ef5a5b8043ef0cef49d24e86ee23c39449

SHA512
34f83d91124f70942da0cb5edc859cb60100a046b4a97b16c30ede9b91652e9eb9b326c7d1e1d0970ef0a4b460d89bb3c8ea46ff4cb17195ac152042dab4947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6A69.tmp

Filesize
55KB

MD5
3c686362950210e66f2b2a200f2af6a7

SHA1
133d9508dafc7120995bf60c6b55362b0462d0fd

SHA256
e80d8a9d920a42d73b4687258ec0580aacd00a628568bfcc6aaab09f8b393a43

SHA512
7ad63011cfe5229c990e17da654c02631b257f820f73e6d932f1fb0a4b98f565d350e24dbc54b0dde53604bd876f9825a12add6d2536858e3678f9318224e41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6ABA.tmp

Filesize
23KB

MD5
ca004588ae12d2d1202cdd3e5550ea2a

SHA1
71077ff4c71aa415cee7ad9b01de4ec672119e5e

SHA256
d1c7625c9ce0900a6431bd85d68a64612e572cf959dde1243d68a206cfeeb207

SHA512
c52f1ab106cbf96ac24c5505d7a9fb7f89b2557fd2e16596e45ea19ce44d1137b75af10f68d2a959637b73668342b8b3560732cc14e06f717f189fdc4c745ffd

Download Submit
\Users\Admin\AppData\Local\Temp\0bce22f41ffb7b71ab1dad6621c92e08.exe

Filesize
23KB

MD5
7e5a0f45971c9124a3a8ecaf13247921

SHA1
757af0aaf600bd76aca78fbb6b87d91817493f24

SHA256
e36dce441fa5c471687e116fe29e509611669a65ac950a249c420f204f8c80b2

SHA512
07f16a1ec039f11a479245e634f36ea0ad341dd88dff2192795badf6f953d874b51c57dfe7b50677d782fa22c639739b765044ca9e1b659869e4f0488957baa6

Download Submit
memory/2160-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2160-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2160-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2160-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2160-2-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2748-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2748-25-0x0000000000340000-0x000000000039F000-memory.dmp

Filesize
380KB

Download
memory/2748-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2748-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2748-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2748-82-0x000000000EA30000-0x000000000EA6C000-memory.dmp

Filesize
240KB

Download