2970baebe2ab4bc222d8fb4c7b62ebac25db2df9df34c5053f39a0200215578c

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1aaf9a26bba5f2269f152d963c06b978.exe
Size

385KB
MD5

1aaf9a26bba5f2269f152d963c06b978
SHA1

b9c81cb83e3f2dbcf9ad93aacd7e822330397bd2
SHA256

2970baebe2ab4bc222d8fb4c7b62ebac25db2df9df34c5053f39a0200215578c
SHA512

4ecc345329eb21e1cdb0a45a3edddcdd641d5ff201a03ed0d207410fdbbc5e9ac8ad4043e90a620f739c5b13fd95e779e8e00b3a9f6d2090b705a719f9e87d91
SSDEEP

6144:h/5eNiDo6BGWpJTwlgOKeZ2lyyJPpuelov9aLHoXFC89t5RVB/v3N2KH0wjBmswy:hIMoUppJ0lgNy2ro4cFC63XEKHuni/7B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3636	1aaf9a26bba5f2269f152d963c06b978.exe

Executes dropped EXE 1 IoCs

pid	Process
3636	1aaf9a26bba5f2269f152d963c06b978.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1224	1aaf9a26bba5f2269f152d963c06b978.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1224	1aaf9a26bba5f2269f152d963c06b978.exe
3636	1aaf9a26bba5f2269f152d963c06b978.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 3636	1224	1aaf9a26bba5f2269f152d963c06b978.exe	54
PID 1224 wrote to memory of 3636	1224	1aaf9a26bba5f2269f152d963c06b978.exe	54
PID 1224 wrote to memory of 3636	1224	1aaf9a26bba5f2269f152d963c06b978.exe	54

C:\Users\Admin\AppData\Local\Temp\1aaf9a26bba5f2269f152d963c06b978.exe
"C:\Users\Admin\AppData\Local\Temp\1aaf9a26bba5f2269f152d963c06b978.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\1aaf9a26bba5f2269f152d963c06b978.exe
  C:\Users\Admin\AppData\Local\Temp\1aaf9a26bba5f2269f152d963c06b978.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1aaf9a26bba5f2269f152d963c06b978.exe

Filesize
385KB

MD5
91e7504c0e7a5d2d8230b16b5f0d898a

SHA1
1221b51c1cbb230de88a98ae15fa5f418367dae3

SHA256
30c7bb965d81de83da465fe5eff06e75f4eeb998a05c3fbe0958f1c699bd186e

SHA512
2d5393ca790d738f1ec99cbea26ee7ef0b4023fc2551cb93c73551e491dee12ab2b13af5e4d8476cc3dc594c0e09a77f17f0b2400d94b2bd9a74187fdfc17e5e

Download Submit
memory/1224-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1224-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1224-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1224-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3636-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3636-14-0x0000000001540000-0x00000000015A6000-memory.dmp

Filesize
408KB

Download
memory/3636-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/3636-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3636-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3636-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download