1c8342823cc380cba32495dd6056f9cdc4fd4461902ee295d378be80a2212ea3

Analysis

max time kernel
159s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe
Size

907KB
MD5

23f81c8bdd9aa3e22c34c9f17dc0fb4d
SHA1

2ee7d7926a25cace8ff18dd3ec864f515b687dcb
SHA256

1c8342823cc380cba32495dd6056f9cdc4fd4461902ee295d378be80a2212ea3
SHA512

8e1a1b88fe4411d15833175f592d95fb4d89d06b1624abe2c4d43d830be9810cc0cbcfa0707989850cce1eb7c9400d42b1b05ed4ab9c2e15dac7d3790779f617
SSDEEP

12288:vXnIub7x3LWyFmGJL6WuPYSozWgEec+oXupYLgkG7rft1sCJvWIC7ZB5jVDa/ZS1:vXn9pWyFmGVLAGnb9zZJvWIUZB/a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3016	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3452	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3452	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe
3016	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3016	3452	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe	92
PID 3452 wrote to memory of 3016	3452	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe	92
PID 3452 wrote to memory of 3016	3452	23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe	92

C:\Users\Admin\AppData\Local\Temp\23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe
"C:\Users\Admin\AppData\Local\Temp\23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe
  C:\Users\Admin\AppData\Local\Temp\23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23f81c8bdd9aa3e22c34c9f17dc0fb4d.exe

Filesize
907KB

MD5
375b0171658dda6ee92bb7331375149c

SHA1
f15eb935c6585574135bdf47d668dcaf9df80520

SHA256
8dc58965a98b17a9a3d26e12a3e7ab5af1e0b9c0281e747ccbc7e1bf8da6e36f

SHA512
c457eed7fe0b0f85d8727c6024e93a579597a0e90269f77cb8b72fe553ee95b54d83399b53512d0ec76138f37d091e0b5a5ce247a2aeab4b4502f34b4a1dcaa5

Download Submit
memory/3016-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3016-14-0x00000000016C0000-0x00000000017A8000-memory.dmp

Filesize
928KB

Download
memory/3016-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/3016-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3016-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-34-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/3452-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3452-1-0x0000000001690000-0x0000000001778000-memory.dmp

Filesize
928KB

Download
memory/3452-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3452-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download