e8f5d067733aca74cb51f8c865a6a22b984af1ecd951cd8e7a14e1b111a4fe0a

Analysis

max time kernel
3s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

170afa23564ebc922d1f60b228fe49a8.exe
Size

385KB
MD5

170afa23564ebc922d1f60b228fe49a8
SHA1

22a7ed8415e25b389495dcb0476ae13cc5850890
SHA256

e8f5d067733aca74cb51f8c865a6a22b984af1ecd951cd8e7a14e1b111a4fe0a
SHA512

2fd1d1b2aa7c20f926f5fb005edd6ad8b9af97c42f220a702390c390df1c7f9a5a30abaf39e8158560412d7be26c84366be7c851a5497d9c2186501ff23909e9
SSDEEP

6144:vhWI/exImme8o62ezLLXVggORLry0Sfbp7b9pIw/YrfCB:M3XvezdggkkbhjI2YrfCB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	170afa23564ebc922d1f60b228fe49a8.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	170afa23564ebc922d1f60b228fe49a8.exe

Loads dropped DLL 1 IoCs

pid	Process
1776	170afa23564ebc922d1f60b228fe49a8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1776	170afa23564ebc922d1f60b228fe49a8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1776	170afa23564ebc922d1f60b228fe49a8.exe
2448	170afa23564ebc922d1f60b228fe49a8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2448	1776	170afa23564ebc922d1f60b228fe49a8.exe	14
PID 1776 wrote to memory of 2448	1776	170afa23564ebc922d1f60b228fe49a8.exe	14
PID 1776 wrote to memory of 2448	1776	170afa23564ebc922d1f60b228fe49a8.exe	14
PID 1776 wrote to memory of 2448	1776	170afa23564ebc922d1f60b228fe49a8.exe	14

C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe
C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2448

C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe
"C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe

Filesize
24KB

MD5
4edd9d29aa08413031212c994b8000eb

SHA1
f75df23ba7588ae273eec0af8897ba310754a34f

SHA256
e71f52d12b38f4f4291b650bbb1158e088ec1f3151dd9a4bcc2bd146941f116b

SHA512
c3594427daa560e366bb613cd9c8649e169a53b9a55b46b57b7ae8afe5ebf36f6c94c8ba871d097eb60dd66dbc59571a815c666cace5fa72ac2d274d36654f9a

Download Submit
\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe

Filesize
26KB

MD5
013f1ae581b1d067fb520c95288aeb64

SHA1
cc07ffa42075fa0ef6f18904e56e74bb111bf004

SHA256
1f15169501454e640f7108939dd4eede81e4c4699836793a57709dc59a09282c

SHA512
808a7d7a0f3ddc2095e64ce716d5d9a3af61999245b1cdee25e62eb3331ed18bfc25107f8ccf1728f9864a97c356e6dae1338eb870a2b8ba9c41aded7437a881

Download Submit
memory/1776-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1776-2-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1776-16-0x0000000002E60000-0x0000000002EC6000-memory.dmp

Filesize
408KB

Download
memory/1776-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1776-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2448-21-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2448-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2448-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-29-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2448-83-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/2448-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2448-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2448-84-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download