92872ee12d8109a893874e9eb3da8e9249e2faa735fa55edab3c8a5fa3515e49

Analysis

max time kernel
168s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25cb345a75f42edb09c0fb97781b7808.exe
Size

385KB
MD5

25cb345a75f42edb09c0fb97781b7808
SHA1

776f74a4f16d2240c9a87cd1b5c9740859b1a6d2
SHA256

92872ee12d8109a893874e9eb3da8e9249e2faa735fa55edab3c8a5fa3515e49
SHA512

488ef8739183777eed0069d2d29721b711bd2ff225cd4173f698aa907e600855bca1c58f27a220b7f7f3bb2d6ac27dacedbc0d82f230f2893ecb33e2004ab9ec
SSDEEP

6144:8UhmkrP3KUK56KAlL9AI4SMSNYDm7N1ffxbq+J1ihcrOgjjF1MXzpYB:BpLSAPMSNYDmrfQMVr1jjFejpYB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	25cb345a75f42edb09c0fb97781b7808.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	25cb345a75f42edb09c0fb97781b7808.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4716	25cb345a75f42edb09c0fb97781b7808.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4716	25cb345a75f42edb09c0fb97781b7808.exe
3044	25cb345a75f42edb09c0fb97781b7808.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3044	4716	25cb345a75f42edb09c0fb97781b7808.exe	91
PID 4716 wrote to memory of 3044	4716	25cb345a75f42edb09c0fb97781b7808.exe	91
PID 4716 wrote to memory of 3044	4716	25cb345a75f42edb09c0fb97781b7808.exe	91

C:\Users\Admin\AppData\Local\Temp\25cb345a75f42edb09c0fb97781b7808.exe
"C:\Users\Admin\AppData\Local\Temp\25cb345a75f42edb09c0fb97781b7808.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\25cb345a75f42edb09c0fb97781b7808.exe
  C:\Users\Admin\AppData\Local\Temp\25cb345a75f42edb09c0fb97781b7808.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25cb345a75f42edb09c0fb97781b7808.exe

Filesize
385KB

MD5
1745ece572decefe81e64b238fa9a88e

SHA1
57b9afd2362f20390f57d0de0764f8e526714f0e

SHA256
c187806eac2d94d6c9236681701ccaff0d8e06dabf99719d7be505f7df7e8f61

SHA512
0eeefc03e0e2a29d31ed07a52257164e0b2d9fc65ac74f743271f7645c9189ee6eebe4b1dabb9c44a86f16cbffa94283c4b66acd80da31798b3bb88b1a1772bc

Download Submit
memory/3044-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3044-15-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/3044-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/3044-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3044-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3044-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4716-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4716-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4716-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download