5050a8512c5e1751256b1630f12ddcca312d39c12f946ddb8d2ef1aedfd93366

Analysis

max time kernel
152s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6676091b74c9af31d4449ed02c9c63.exe
Size

385KB
MD5

0b6676091b74c9af31d4449ed02c9c63
SHA1

a1ad07902fcad2fd40a5138ce0c34ba9dc1621b3
SHA256

5050a8512c5e1751256b1630f12ddcca312d39c12f946ddb8d2ef1aedfd93366
SHA512

6e519681b2f037cf24b0c4ef13b5fa393c97217558df317ee34b15dca1f7dd3e3fefef1e09d75d8a841e9a1443c05a1a140dd3692d03acc701e6d992ff82764d
SSDEEP

6144:Rv7rQB28fQjOOwXDcGJTe78sLwkawiycycHuQ3QN8Ky6dbBekUW8Bx2d8TcuKxB:Rv7rQBiMTsrLwtycTK/yoUs+TcuGB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4852	0b6676091b74c9af31d4449ed02c9c63.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	0b6676091b74c9af31d4449ed02c9c63.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
676	0b6676091b74c9af31d4449ed02c9c63.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
676	0b6676091b74c9af31d4449ed02c9c63.exe
4852	0b6676091b74c9af31d4449ed02c9c63.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 4852	676	0b6676091b74c9af31d4449ed02c9c63.exe	90
PID 676 wrote to memory of 4852	676	0b6676091b74c9af31d4449ed02c9c63.exe	90
PID 676 wrote to memory of 4852	676	0b6676091b74c9af31d4449ed02c9c63.exe	90

C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
"C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
  C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe

Filesize
385KB

MD5
186a65765af92f20e2a4e8e25d38a212

SHA1
1912e15c126021a64bb5157af6e1c0899f2e2f79

SHA256
93a3abd0188bf171f6ed02228879f8364b9718553042e9871a612cb806c466a1

SHA512
40f32bcaaa4ed1ce478335532347a9c1b9ead1204e20e5805d55f7312784dbf4256083df549e965b5765b095291d54c4a3b3d6f5625712d75df904cbe2b6c579

Download Submit
memory/676-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/676-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/676-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/676-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4852-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4852-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4852-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/4852-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4852-35-0x000000000B700000-0x000000000B73C000-memory.dmp

Filesize
240KB

Download
memory/4852-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download