0b077235755a313ef7b4dc3634f87f0c1e9fc20dd3a0557004818d4eef9d7dfd

Analysis

max time kernel
144s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d76559780f212a3b42f75b3a3f1a3e8.exe
Size

1.5MB
MD5

0d76559780f212a3b42f75b3a3f1a3e8
SHA1

578a1b0d9765819dc2669ad1ac49d80b8e42ed0d
SHA256

0b077235755a313ef7b4dc3634f87f0c1e9fc20dd3a0557004818d4eef9d7dfd
SHA512

8a893664cecdb2a4d8a979ccbb77d190435f425731f34ad7725844750e6fc87bdba505cfbb04a408825bfba645bc9245607453f84069febf64bf6e2d99b30ac0
SSDEEP

24576:2SttNBZnOIaYh63b10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FP:2S7PpaYw/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
676	0d76559780f212a3b42f75b3a3f1a3e8.exe

Executes dropped EXE 1 IoCs

pid	Process
676	0d76559780f212a3b42f75b3a3f1a3e8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4480	0d76559780f212a3b42f75b3a3f1a3e8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4480	0d76559780f212a3b42f75b3a3f1a3e8.exe
676	0d76559780f212a3b42f75b3a3f1a3e8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 676	4480	0d76559780f212a3b42f75b3a3f1a3e8.exe	90
PID 4480 wrote to memory of 676	4480	0d76559780f212a3b42f75b3a3f1a3e8.exe	90
PID 4480 wrote to memory of 676	4480	0d76559780f212a3b42f75b3a3f1a3e8.exe	90

C:\Users\Admin\AppData\Local\Temp\0d76559780f212a3b42f75b3a3f1a3e8.exe
"C:\Users\Admin\AppData\Local\Temp\0d76559780f212a3b42f75b3a3f1a3e8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\0d76559780f212a3b42f75b3a3f1a3e8.exe
  C:\Users\Admin\AppData\Local\Temp\0d76559780f212a3b42f75b3a3f1a3e8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d76559780f212a3b42f75b3a3f1a3e8.exe

Filesize
486KB

MD5
399aba7e2e3c387353862dd902f11684

SHA1
492408cb3ff4f2a5136c57ce1c95ae519e4cee1a

SHA256
2d1bd7550f359ecff346a98b9f8c129e65e0e6e3b60029a68a71dc417fd36663

SHA512
f0191cc23d9ae9578f3b8e80032c214e16968a3b94fa04373f55a1b3c739cdf3a1c36d4d2c3bffe81a766b9b319da5f70cd71aa573f62477e8759db63723705a

Download Submit
memory/676-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/676-15-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/676-20-0x0000000002740000-0x000000000279F000-memory.dmp

Filesize
380KB

Download
memory/676-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/676-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/676-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4480-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4480-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4480-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4480-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download