014e86f83200895728bff7b86d5eec1cec82003ac8c8fdede1f9db78d7be8585

Analysis

max time kernel
209s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11b0bf6731b2d4a8b2a433fb028f48e5.exe
Size

385KB
MD5

11b0bf6731b2d4a8b2a433fb028f48e5
SHA1

889bb733773142c711d447569c0b1947aae15069
SHA256

014e86f83200895728bff7b86d5eec1cec82003ac8c8fdede1f9db78d7be8585
SHA512

cb41710c1cfc85124b1ceb4a0ab1c33fceb5fb39c5ba80ce9461aab6cd6c32bd7adc2dbc9db9a1cce0627593ea41edba0e855cee21f7d1e467a098154727a975
SSDEEP

12288:2605Rc7LYWu/upkzFQnXX88xsg7UaMn8rJRUynEMSg4N/dO7tHB:705RgLYtSSQXJswlB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3000	11b0bf6731b2d4a8b2a433fb028f48e5.exe

Executes dropped EXE 1 IoCs

pid	Process
3000	11b0bf6731b2d4a8b2a433fb028f48e5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4364	11b0bf6731b2d4a8b2a433fb028f48e5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4364	11b0bf6731b2d4a8b2a433fb028f48e5.exe
3000	11b0bf6731b2d4a8b2a433fb028f48e5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3000	4364	11b0bf6731b2d4a8b2a433fb028f48e5.exe	91
PID 4364 wrote to memory of 3000	4364	11b0bf6731b2d4a8b2a433fb028f48e5.exe	91
PID 4364 wrote to memory of 3000	4364	11b0bf6731b2d4a8b2a433fb028f48e5.exe	91

C:\Users\Admin\AppData\Local\Temp\11b0bf6731b2d4a8b2a433fb028f48e5.exe
"C:\Users\Admin\AppData\Local\Temp\11b0bf6731b2d4a8b2a433fb028f48e5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\11b0bf6731b2d4a8b2a433fb028f48e5.exe
  C:\Users\Admin\AppData\Local\Temp\11b0bf6731b2d4a8b2a433fb028f48e5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11b0bf6731b2d4a8b2a433fb028f48e5.exe

Filesize
385KB

MD5
46dcd9f0d5861d803cd2bf8a04efc9b2

SHA1
1ae3874e31d372d4a04ba7d80974ecbbebe4e887

SHA256
a05fb9cb277c62c17d9ef104893bdea2672f22da741a93482b6ce26627d53676

SHA512
f083c692080897b6e5c590568ba40d834c1212a2513894d20a6dd1fa53a94e68ec2ebc218d3b4062b9aec82f67459320f6fe19433078baf99f1d817660c96640

Download Submit
memory/3000-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3000-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3000-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/3000-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3000-38-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3000-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4364-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4364-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4364-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4364-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download