4757c9dcd230a95051a102ec791624c2c78132edcf2c4f5551380e5f69d79d6d

Analysis

max time kernel
194s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bce4b35f0b33f6b0bb713ef475a6a06.exe
Size

385KB
MD5

0bce4b35f0b33f6b0bb713ef475a6a06
SHA1

d933ffb90697089f4e436754b38ff93aa8bf72c1
SHA256

4757c9dcd230a95051a102ec791624c2c78132edcf2c4f5551380e5f69d79d6d
SHA512

7b0164f43c20b59577a5feb23690826d7168956fab7ee08c96933b45977138e10dd18c37e0344eb068dd9559f33cef2e62a716a85436bc7ec2757d8fe01ffdd8
SSDEEP

6144:fT4+umOMZ/m/cKSCv03/TIHrtVhEzW79aDhkEugbsiFLZKJv/C0K0SdjhpmCyiB:fgmVZe0K5vptszW79aljFNKJS0chVB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4300	0bce4b35f0b33f6b0bb713ef475a6a06.exe

Executes dropped EXE 1 IoCs

pid	Process
4300	0bce4b35f0b33f6b0bb713ef475a6a06.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2116	0bce4b35f0b33f6b0bb713ef475a6a06.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2116	0bce4b35f0b33f6b0bb713ef475a6a06.exe
4300	0bce4b35f0b33f6b0bb713ef475a6a06.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4300	2116	0bce4b35f0b33f6b0bb713ef475a6a06.exe	86
PID 2116 wrote to memory of 4300	2116	0bce4b35f0b33f6b0bb713ef475a6a06.exe	86
PID 2116 wrote to memory of 4300	2116	0bce4b35f0b33f6b0bb713ef475a6a06.exe	86

C:\Users\Admin\AppData\Local\Temp\0bce4b35f0b33f6b0bb713ef475a6a06.exe
"C:\Users\Admin\AppData\Local\Temp\0bce4b35f0b33f6b0bb713ef475a6a06.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\0bce4b35f0b33f6b0bb713ef475a6a06.exe
  C:\Users\Admin\AppData\Local\Temp\0bce4b35f0b33f6b0bb713ef475a6a06.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0bce4b35f0b33f6b0bb713ef475a6a06.exe

Filesize
61KB

MD5
e8ded5fa104e196cee7facdebfd5ade9

SHA1
e93f3427b09cd6c67b7250cc3c9b34fe4537affe

SHA256
0dccdc5e93a2b7fc01001dff2b6d6a6b9aa5234f854ae4ff0b2d4000459e836b

SHA512
ffd7f2f528b3e412831c4ecfacd11e209447d68de80e3501fe89a8d21b720b755f980b2adaf83d058e47c9300085754e324f99cf2151a30c44893dfe2af81cab

Download Submit
memory/2116-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2116-1-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/2116-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2116-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4300-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4300-14-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/4300-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/4300-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4300-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4300-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4300-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download