6e0b3adc37a295bb14a836f102f99abe5517afbb3e25ad92edc96341a7c43b8b

Analysis

max time kernel
137s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fe86ceffbd44fd4ad452dddf2ed46b1.exe
Size

385KB
MD5

0fe86ceffbd44fd4ad452dddf2ed46b1
SHA1

5e5a9908a32b36c5a653bece2b64c0653c635d19
SHA256

6e0b3adc37a295bb14a836f102f99abe5517afbb3e25ad92edc96341a7c43b8b
SHA512

d93e7c9e2fa67d4dbcf74a7b9a8955de5d48e3d038f0b7dc1cf9d7bd3b7ce23719eb123d19d3d7d8b006ded2f7b9e3d2613fb548724c8da7da306b5fa9b5591b
SSDEEP

12288:/FtsCF8Wy4p6ECq01x/Ox7DQB6z2vUtHiyB:/rsEPYfqhI6z2vWHiyB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1492	0fe86ceffbd44fd4ad452dddf2ed46b1.exe

Executes dropped EXE 1 IoCs

pid	Process
1492	0fe86ceffbd44fd4ad452dddf2ed46b1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1100	0fe86ceffbd44fd4ad452dddf2ed46b1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1100	0fe86ceffbd44fd4ad452dddf2ed46b1.exe
1492	0fe86ceffbd44fd4ad452dddf2ed46b1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1492	1100	0fe86ceffbd44fd4ad452dddf2ed46b1.exe	91
PID 1100 wrote to memory of 1492	1100	0fe86ceffbd44fd4ad452dddf2ed46b1.exe	91
PID 1100 wrote to memory of 1492	1100	0fe86ceffbd44fd4ad452dddf2ed46b1.exe	91

C:\Users\Admin\AppData\Local\Temp\0fe86ceffbd44fd4ad452dddf2ed46b1.exe
"C:\Users\Admin\AppData\Local\Temp\0fe86ceffbd44fd4ad452dddf2ed46b1.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\0fe86ceffbd44fd4ad452dddf2ed46b1.exe
  C:\Users\Admin\AppData\Local\Temp\0fe86ceffbd44fd4ad452dddf2ed46b1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fe86ceffbd44fd4ad452dddf2ed46b1.exe

Filesize
385KB

MD5
c331f67f3a17533057d666258436a6c6

SHA1
3b59a414be851ba8b3e96141632ce97502d4d3f8

SHA256
4d8bca64f679dbfe1ba847b806b23b401479b637431090dc27fc24a914b15bfe

SHA512
101aee3c1d1d7e8319a0a7f72c429e6642ecabf90454334b11d60b1c8ef9d14aa82da990b562e6dc668cb8e1ff7be51fb19804b159406bc676cbb64ef9daf512

Download Submit
memory/1100-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1100-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1100-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1100-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1492-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1492-15-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/1492-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/1492-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1492-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1492-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download