c1abfa4cf3023b8fbb84f191ce6cee2df9e30af2288275e77c1cd493bcc1004f

Analysis

max time kernel
153s
max time network
245s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245e8f8d5b42c9b400df36c52b9cac8a.exe
Size

385KB
MD5

245e8f8d5b42c9b400df36c52b9cac8a
SHA1

e28bb26b2c3addcfc98965a4e3858c1b84dd8c43
SHA256

c1abfa4cf3023b8fbb84f191ce6cee2df9e30af2288275e77c1cd493bcc1004f
SHA512

bcde57733aad2952ac9731e70dea1bbe2a5b7390fb78e9c2b1f54febf80dc50e1f18e3c932b20595853a96ef95dc682544732530f7156607dc35717f973d9088
SSDEEP

12288:tiz9q/CZegntHG+2ck4iL+1RWHaY3GT7bFjiB:tHAeytmsk4a+mHaY3GPbFjiB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1772	245e8f8d5b42c9b400df36c52b9cac8a.exe

Executes dropped EXE 1 IoCs

pid	Process
1772	245e8f8d5b42c9b400df36c52b9cac8a.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	245e8f8d5b42c9b400df36c52b9cac8a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	245e8f8d5b42c9b400df36c52b9cac8a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3012	245e8f8d5b42c9b400df36c52b9cac8a.exe
1772	245e8f8d5b42c9b400df36c52b9cac8a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1772	3012	245e8f8d5b42c9b400df36c52b9cac8a.exe	29
PID 3012 wrote to memory of 1772	3012	245e8f8d5b42c9b400df36c52b9cac8a.exe	29
PID 3012 wrote to memory of 1772	3012	245e8f8d5b42c9b400df36c52b9cac8a.exe	29
PID 3012 wrote to memory of 1772	3012	245e8f8d5b42c9b400df36c52b9cac8a.exe	29

C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
"C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
  C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe

Filesize
118KB

MD5
f251a0159786b778565e776297d93f46

SHA1
0e33f1ee9dde37c28f51d82ebc3710134a88707f

SHA256
b9d0cc4a5aded2a595f5fe2ec9a5cf9e302cf01ffd1ceea7617fb8817c219730

SHA512
9a5c60c9e26fa6cb3e713307fb88d5803139c1afdf903d2c9d26be832bd4d067770fb7d05e51b44f79a9139f22a915ecef6cd72f15c3c7bd2b5b5a1fdb1cdb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E8.tmp

Filesize
4KB

MD5
bc1b70795cc16d86e5f28aa39ade82d3

SHA1
be6434aa5c86080efc3f8f4864c433465ae8ceda

SHA256
b538a81a5d485b83da99ee834877b090a034f555dc128f6df2adcbf4cb7a9ddb

SHA512
c1a7ff842a91972621fad44799eab478ad1f972ec4f7325ab69f5fad2fe1a507d431071c5d691389c05a01a5a6d06a11bc04579d3cdc4937df409dc98460cecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91A.tmp

Filesize
5KB

MD5
130eef520578529e13202b4fdd08dd40

SHA1
077a19d26ddffe661aaed33ec005beda4d4335b3

SHA256
ebeb408336a726391e6746d83db0214eb02106eadb38c40fa668ce866fbffdf0

SHA512
4c7279af700dac1cc63c88130a8433b48a2d3392682b9972f52339aa96a25e2631c7cb5c584d684e36bd74837cf4c1930ca403cd5dba7c8a864c76f7260ac252

Download Submit
\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe

Filesize
385KB

MD5
25f287cb3d69149777490d1ef836176b

SHA1
5a758e213bc484b4d3b975f5116525bc4b4a8456

SHA256
9f2fa355802fb975f1c76a5bc279490bfe448657413d121d19d06821a097cf47

SHA512
b787bdc1c9a0237faf08d448c1256738ceaaed33f2c5f85f57b39db6eafae3223a740074e7d9a48d42bf1e93b60e693ac9dfb6a1a9799539da858bae3448f0a8

Download Submit
memory/1772-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1772-23-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/1772-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1772-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1772-78-0x0000000008740000-0x000000000877C000-memory.dmp

Filesize
240KB

Download
memory/3012-12-0x0000000001680000-0x00000000016E6000-memory.dmp

Filesize
408KB

Download
memory/3012-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3012-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3012-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3012-2-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download