1284a5aaf6af962ddaf101e64745eeed511bac58445900b6fc69460296bb8d3b

Analysis

max time kernel
3s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148f8639e8a229c6f402a21ca05c3f53.exe
Size

385KB
MD5

148f8639e8a229c6f402a21ca05c3f53
SHA1

036429883524f869f56261eeb479b1d27803471c
SHA256

1284a5aaf6af962ddaf101e64745eeed511bac58445900b6fc69460296bb8d3b
SHA512

c74b0af2fe3830e9b842e519340bb6453c90225344dacd2fe59dc4185a56ba8dd3553136f66b9bfb1359a2f9b611dacd64d17f54b78f40b287220954671fea0e
SSDEEP

6144:RwI+aOJVjaVKpmIkvuYBV0foxznzcpPxPmVmZYq+iTgxXTlKVE4sOy8x8IB:+ragw7hvuYB9zWJPmViYeTg554sCx8IB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	148f8639e8a229c6f402a21ca05c3f53.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	148f8639e8a229c6f402a21ca05c3f53.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	148f8639e8a229c6f402a21ca05c3f53.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1544	148f8639e8a229c6f402a21ca05c3f53.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1544	148f8639e8a229c6f402a21ca05c3f53.exe
2536	148f8639e8a229c6f402a21ca05c3f53.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2536	1544	148f8639e8a229c6f402a21ca05c3f53.exe	28
PID 1544 wrote to memory of 2536	1544	148f8639e8a229c6f402a21ca05c3f53.exe	28
PID 1544 wrote to memory of 2536	1544	148f8639e8a229c6f402a21ca05c3f53.exe	28
PID 1544 wrote to memory of 2536	1544	148f8639e8a229c6f402a21ca05c3f53.exe	28

C:\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe
"C:\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe
  C:\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe

Filesize
41KB

MD5
d17a3c14fdb0876fde6061d18e0cf1b3

SHA1
cb755bdbd90fa174f545a56ac9223565ee5edb97

SHA256
f43721a6d3bf685a3d4894dc8ebbc3ff560c19a2c105f0f12dcc3a2b97e945f9

SHA512
ee84ee11682a283a1ef682825d80896fc788fd3766d72878b770e7101b7982e843ee883c7f60cd4bbf75d47cf652ffeedd3ed0deec757f3398c39a9657bb42f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5840.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5871.tmp

Filesize
65KB

MD5
f8d7e3e128495fc3450e0dcc42976116

SHA1
c874c23940366c6fe62c443bd5764d31208effd0

SHA256
ac7f592f045bb7253c55b1a755113dfc88abd5cab521adbad49a7d223196420c

SHA512
c94af6955c71e8f7548b376aa9c36432d4c2ff739df4e78809a18354532b7b9a10cda337be9ff7ec12302d6bd9c59934d7323a3197ef93b6935cc597d33bc101

Download Submit
\Users\Admin\AppData\Local\Temp\148f8639e8a229c6f402a21ca05c3f53.exe

Filesize
142KB

MD5
43de5e84da5fe0d8faf204ac8aa8e92d

SHA1
204e84185112ba2fcee5703e7c7c4df943415e8a

SHA256
44c61c2ab9d7193771fdb60838be91ca6794a6dd8d43db4266c737647ed80335

SHA512
2b98e49371583b58d394b9d23a3080de8c18bf664eca040e8707eed83181021291e763fd1b91fa72286476c1c25ab2f1bb38dc548c0b00dcc07b1007be7510cf

Download Submit
memory/1544-12-0x0000000002CC0000-0x0000000002D26000-memory.dmp

Filesize
408KB

Download
memory/1544-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1544-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1544-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1544-2-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/2536-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2536-25-0x0000000002CD0000-0x0000000002D2F000-memory.dmp

Filesize
380KB

Download
memory/2536-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2536-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2536-81-0x0000000008600000-0x000000000863C000-memory.dmp

Filesize
240KB

Download