97d8bc270de817e8c63b3f66c007ebabf5cda53f1a749919b6dba8850dcdfbf7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa7a5bfe0a5ec7309d022ed52a5a488.exe
Size

385KB
MD5

1aa7a5bfe0a5ec7309d022ed52a5a488
SHA1

206966475f49a260b07f3184cf8451155976ddcd
SHA256

97d8bc270de817e8c63b3f66c007ebabf5cda53f1a749919b6dba8850dcdfbf7
SHA512

2ba417c71cfdbff3cf56830e3cb29c35eeaff5908a5ef4b1580d62a24954a272f8d1975e07376edeadac03a8f6dab75c368926b5ed082608bb1ce4412c78fcf7
SSDEEP

6144:JqQUXtBx5kXoVEC2gDmso6qjrpvl4QqREiB/h+/jnHEH56CnbQoiE0l0WTB:kb5woaQCjJqRB+rHEZ6wQG8TB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
508	1aa7a5bfe0a5ec7309d022ed52a5a488.exe

Executes dropped EXE 1 IoCs

pid	Process
508	1aa7a5bfe0a5ec7309d022ed52a5a488.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3364	1aa7a5bfe0a5ec7309d022ed52a5a488.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3364	1aa7a5bfe0a5ec7309d022ed52a5a488.exe
508	1aa7a5bfe0a5ec7309d022ed52a5a488.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 508	3364	1aa7a5bfe0a5ec7309d022ed52a5a488.exe	88
PID 3364 wrote to memory of 508	3364	1aa7a5bfe0a5ec7309d022ed52a5a488.exe	88
PID 3364 wrote to memory of 508	3364	1aa7a5bfe0a5ec7309d022ed52a5a488.exe	88

C:\Users\Admin\AppData\Local\Temp\1aa7a5bfe0a5ec7309d022ed52a5a488.exe
"C:\Users\Admin\AppData\Local\Temp\1aa7a5bfe0a5ec7309d022ed52a5a488.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\1aa7a5bfe0a5ec7309d022ed52a5a488.exe
  C:\Users\Admin\AppData\Local\Temp\1aa7a5bfe0a5ec7309d022ed52a5a488.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1aa7a5bfe0a5ec7309d022ed52a5a488.exe

Filesize
385KB

MD5
92ebe6080eee7d1071484e9cd41668d4

SHA1
0344055b31313cb40f6e2ba656076db56dc5fddb

SHA256
feb94e7f15dbf2e85929cdfcd3c06e56e4933f94d362715d864cc5a0d34bf531

SHA512
f64245ef741bb1d9ad4a7c74fc506d17d8a7d258a36f9fe5a3dacb09d72f2ff8320a884c14ad378efcb1bce40d9c3eb824ad77b5537191091003cb6a39975bfa

Download Submit
memory/508-16-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/508-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/508-26-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/508-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/508-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/508-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/508-38-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/508-39-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/3364-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3364-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/3364-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3364-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download