1b479d2d4a0e029b91c2364eb55d0b24f7a518b232efd976bfb00964de8c2f5d

Analysis

max time kernel
3s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282fc51cdfbb2d609fdc67b3394dec9b.exe
Size

385KB
MD5

282fc51cdfbb2d609fdc67b3394dec9b
SHA1

d9677f445a22889efcc4fbc9f3eefafae02eea4a
SHA256

1b479d2d4a0e029b91c2364eb55d0b24f7a518b232efd976bfb00964de8c2f5d
SHA512

3f469cc92d941f67d22cb2b852868bf7cebfb0022a7fad7b3300c336b0ee3f3ce93bdb276c837269208a18be1bee8fb81546dfdfaab33b4648aae94f27315e41
SSDEEP

6144:Nh4hjjqm+HC4RiAYRtPhvkqpKGZ/0P67cM+XGqjp//WIX4XMzAI+3sB:H4hCm6C4Rc5vkU3Zu9Lp/DXIMzAI+3sB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	282fc51cdfbb2d609fdc67b3394dec9b.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	282fc51cdfbb2d609fdc67b3394dec9b.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	282fc51cdfbb2d609fdc67b3394dec9b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2888	282fc51cdfbb2d609fdc67b3394dec9b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2888	282fc51cdfbb2d609fdc67b3394dec9b.exe
2052	282fc51cdfbb2d609fdc67b3394dec9b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2052	2888	282fc51cdfbb2d609fdc67b3394dec9b.exe	13
PID 2888 wrote to memory of 2052	2888	282fc51cdfbb2d609fdc67b3394dec9b.exe	13
PID 2888 wrote to memory of 2052	2888	282fc51cdfbb2d609fdc67b3394dec9b.exe	13
PID 2888 wrote to memory of 2052	2888	282fc51cdfbb2d609fdc67b3394dec9b.exe	13

C:\Users\Admin\AppData\Local\Temp\282fc51cdfbb2d609fdc67b3394dec9b.exe
"C:\Users\Admin\AppData\Local\Temp\282fc51cdfbb2d609fdc67b3394dec9b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\282fc51cdfbb2d609fdc67b3394dec9b.exe
  C:\Users\Admin\AppData\Local\Temp\282fc51cdfbb2d609fdc67b3394dec9b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\282fc51cdfbb2d609fdc67b3394dec9b.exe

Filesize
92KB

MD5
a11eb16d4a046c6f60c2cca502180268

SHA1
ffdb99f357ba731ddb0718730f2e91469db7a73c

SHA256
3292c1c21f06fc1735909ce17db3ceded0266f7440cc0bea61e0b18352d2b258

SHA512
8d3788d33cdea158167200c037c63664cc053676e92c8e27a8736eeb21b83674512d3067a98554dde46439d4ee73e057c831f36a0ff74bf76fe1b86b413fad3b

Download Submit
memory/2052-29-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2052-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2052-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-21-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/2052-88-0x000000000D600000-0x000000000D63C000-memory.dmp

Filesize
240KB

Download
memory/2052-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2052-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2888-2-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2888-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2888-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2888-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2888-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download