6e0ae996a81e1859fe2a039edffa1bddd0194a15078eb1056314b57d99335167

Analysis

max time kernel
2s
max time network
134s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd0536bbb58125a5006c1e597e7235f.exe
Size

385KB
MD5

1bd0536bbb58125a5006c1e597e7235f
SHA1

04bc46012d2bb992a812f493a1b33887fccd2ada
SHA256

6e0ae996a81e1859fe2a039edffa1bddd0194a15078eb1056314b57d99335167
SHA512

d37c18a8a35d9009ce073e6e060b0f333f2faa6da17e49f82803722d4d4e8b452842a37c9d098441115a2c42aa872a315dde08cef739927a7023a1753e00cbb4
SSDEEP

6144:stB5xZ694yiFHM5SnwozuW7YsIpsRP0cqU8NaNZomeLBXx/V5rP7PB:YBPZPyiC52qW7wpsJuUEwameLBZLB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2620	1bd0536bbb58125a5006c1e597e7235f.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	1bd0536bbb58125a5006c1e597e7235f.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	1bd0536bbb58125a5006c1e597e7235f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	1bd0536bbb58125a5006c1e597e7235f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2932	1bd0536bbb58125a5006c1e597e7235f.exe
2620	1bd0536bbb58125a5006c1e597e7235f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2620	2932	1bd0536bbb58125a5006c1e597e7235f.exe	17
PID 2932 wrote to memory of 2620	2932	1bd0536bbb58125a5006c1e597e7235f.exe	17
PID 2932 wrote to memory of 2620	2932	1bd0536bbb58125a5006c1e597e7235f.exe	17
PID 2932 wrote to memory of 2620	2932	1bd0536bbb58125a5006c1e597e7235f.exe	17

C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
"C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
  C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe

Filesize
381KB

MD5
74fdb19c03fae6012510387ec7808625

SHA1
f33db3ece77104da37c5d13c10af6c323c5cdc2e

SHA256
3ecc45084096007a59a616757bfc6dfad9816e590ad834f35c9fb6c766585e13

SHA512
81f2f60043438b1f8450f14f5af2bc150c23dece10658bbbeacc8c39584bc6bc128383d408fa0fb6efe25f4dfda6606765253ca4f83d85374d91b0b60726ebe2

Download Submit
\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe

Filesize
94KB

MD5
c707081e382f3110d39cbc7137504062

SHA1
68f7670b2158d0b01b73a2c761fd35a21d14390c

SHA256
67f9698e3f152307c4b58e61f3cf6bbd4c082af0a297f00dad6423b8b0bbed19

SHA512
43570b85b4516218e57ebbef57c3fb181b764b66de74df0195441812b9d2771d67cc70c7207771d56c8d2123bf4e20017e4eb3edf674225a5f2db41d6b04f599

Download Submit
memory/2620-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-28-0x00000000002E0000-0x000000000033F000-memory.dmp

Filesize
380KB

Download
memory/2620-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2620-19-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2620-88-0x0000000007800000-0x000000000783C000-memory.dmp

Filesize
240KB

Download
memory/2620-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2932-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-12-0x0000000002DC0000-0x0000000002E26000-memory.dmp

Filesize
408KB

Download
memory/2932-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download