2f6265aa82894b2e813a6a901d7fb3353756daa14ef6ebc0d099a1dea408783c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb66305c6562bd859e13bd69caf0430.exe
Size

385KB
MD5

0eb66305c6562bd859e13bd69caf0430
SHA1

980bdabc83e176e43ce327d1557a658ce995635c
SHA256

2f6265aa82894b2e813a6a901d7fb3353756daa14ef6ebc0d099a1dea408783c
SHA512

521ebde06b97d0174254b3ee63437fa51e7a483e6a7fe59e17ad15b7939033bcdb6e9c06b9f5ea5a07307f3ca12f4e7f775b1c9457f8880344c60dbb31b7b164
SSDEEP

12288:slwz4fo1A93oL1B7QIbV+c/EJ+qZV1eL/bNB:sleTm9QQeue1B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4544	0eb66305c6562bd859e13bd69caf0430.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	0eb66305c6562bd859e13bd69caf0430.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4952	0eb66305c6562bd859e13bd69caf0430.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4952	0eb66305c6562bd859e13bd69caf0430.exe
4544	0eb66305c6562bd859e13bd69caf0430.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4544	4952	0eb66305c6562bd859e13bd69caf0430.exe	17
PID 4952 wrote to memory of 4544	4952	0eb66305c6562bd859e13bd69caf0430.exe	17
PID 4952 wrote to memory of 4544	4952	0eb66305c6562bd859e13bd69caf0430.exe	17

C:\Users\Admin\AppData\Local\Temp\0eb66305c6562bd859e13bd69caf0430.exe
"C:\Users\Admin\AppData\Local\Temp\0eb66305c6562bd859e13bd69caf0430.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\0eb66305c6562bd859e13bd69caf0430.exe
  C:\Users\Admin\AppData\Local\Temp\0eb66305c6562bd859e13bd69caf0430.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4544-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4544-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-20-0x0000000004EF0000-0x0000000004F4F000-memory.dmp

Filesize
380KB

Download
memory/4544-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4544-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4544-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4544-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4952-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4952-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4952-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4952-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download