81ccd696803de8f045d6ff27d50bc5285750ee69f65e099f3f59a9aa4c583a32

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e0ab3177cc45d1c11bc77f22026c0ba.exe
Size

385KB
MD5

0e0ab3177cc45d1c11bc77f22026c0ba
SHA1

948548f806353d1ac75b01ae0498efec65acd641
SHA256

81ccd696803de8f045d6ff27d50bc5285750ee69f65e099f3f59a9aa4c583a32
SHA512

51b5c660ff8785505d362c07d2e1618a31c047d80ce1080b2fe7cc46716e886da928d71715d14eb350397267a38bae507cd36415747353c7779017b3761ac790
SSDEEP

12288:d6FO+5F9d8A4hX6Dpr28J9ZHCQZXQiunxbr2mNYxeeB:d6FdDIA45opK8TZH/ZXQ9n5rUPB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3360	0e0ab3177cc45d1c11bc77f22026c0ba.exe

Executes dropped EXE 1 IoCs

pid	Process
3360	0e0ab3177cc45d1c11bc77f22026c0ba.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3340	0e0ab3177cc45d1c11bc77f22026c0ba.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3340	0e0ab3177cc45d1c11bc77f22026c0ba.exe
3360	0e0ab3177cc45d1c11bc77f22026c0ba.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3360	3340	0e0ab3177cc45d1c11bc77f22026c0ba.exe	15
PID 3340 wrote to memory of 3360	3340	0e0ab3177cc45d1c11bc77f22026c0ba.exe	15
PID 3340 wrote to memory of 3360	3340	0e0ab3177cc45d1c11bc77f22026c0ba.exe	15

C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
"C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
  C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe

Filesize
111KB

MD5
6907818c80f8d056c89e8a198f1ce209

SHA1
36d7fa733df6f404c53ac3b4551645b44033655c

SHA256
2c9ebc72ca87b80949212d6e14aa0c11a0afbb368c532c58dd16da9680811215

SHA512
0d18d8959bf3610cc4999a6816dc5ecd875b246218fd100f17f2536f27b99ba3c68d69702d52854617da1fcb5b5a5ebf5205835a30d8b5f2bbdaf0cf5c5104ee

Download Submit
memory/3340-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3340-1-0x00000000015B0000-0x0000000001616000-memory.dmp

Filesize
408KB

Download
memory/3340-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3340-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3360-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3360-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3360-22-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/3360-16-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/3360-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3360-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3360-36-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download