797b23a2a291ae92f09654f16af98258232115834075df7c7914ca35ea124aa3

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2acae01af62c3bca5ec444f87b8a3246.exe
Size

385KB
MD5

2acae01af62c3bca5ec444f87b8a3246
SHA1

79d1f91b0a49cd88cae2b217d7f0c82c66465a97
SHA256

797b23a2a291ae92f09654f16af98258232115834075df7c7914ca35ea124aa3
SHA512

17817275a66928c8a0cfea07da717dea654b9bd035dce19afe36f48153b5a04dd5dcdf2d10e230f2da59e84491bee22e983a8d55e477a8abba6e50c7ea229b38
SSDEEP

6144:tR3YlqwRRDiH2UpsB1708Ao29XgYWvnAzOlZG3jY7k7WkL0dmOZHRQumYsLloDmB:b3YMw/s2P08721VWvnZRoruWLrB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	2acae01af62c3bca5ec444f87b8a3246.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	2acae01af62c3bca5ec444f87b8a3246.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3224	2acae01af62c3bca5ec444f87b8a3246.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3224	2acae01af62c3bca5ec444f87b8a3246.exe
2368	2acae01af62c3bca5ec444f87b8a3246.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 2368	3224	2acae01af62c3bca5ec444f87b8a3246.exe	19
PID 3224 wrote to memory of 2368	3224	2acae01af62c3bca5ec444f87b8a3246.exe	19
PID 3224 wrote to memory of 2368	3224	2acae01af62c3bca5ec444f87b8a3246.exe	19

C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2368

C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
"C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe

Filesize
385KB

MD5
9c4131fe7a45bfb128c5a08b38e98ea2

SHA1
8ada6c590eea7ebfde3f1abc42c92a646d52bf2b

SHA256
9c42417c8ec221ca39357e13e84fc4f4f5682c89ba8af4b61b5362cd07f9ccfe

SHA512
557b6dea041ac8b12e7f0cbeed0f13a5ab75ee31c198581f5fb0896bef2527a64906d725f691e08005de4f57c9f9238667eca7add0a65040a9783f576824d207

Download Submit
memory/2368-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2368-14-0x0000000001610000-0x0000000001676000-memory.dmp

Filesize
408KB

Download
memory/2368-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/2368-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2368-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2368-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3224-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3224-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3224-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3224-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download