827249fc3cca8be52611f42b9fe677a8bd0d300b399ee5e253f461d4445c67f5

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f93a58940c8466cf4869f8396ed7aa.exe
Size

385KB
MD5

36f93a58940c8466cf4869f8396ed7aa
SHA1

d79d1a47920a9ea68e1881fb4236ae26a99d1886
SHA256

827249fc3cca8be52611f42b9fe677a8bd0d300b399ee5e253f461d4445c67f5
SHA512

ccbc5a569c55ae9efa86bd7dd67f3ad9aea7da7633c1b525f059301685611c92a28222c6e4d88a9b4161d737ec2512da50787238056ae7a6a6e974123278f6ad
SSDEEP

6144:zLoYovDtv9LJr8JIOAmFo546FG1jIg5MMTHuu9EsFuIGNeNRTETSS1DeGezhlB:+Ltv9LJmALFG1c+HDX3GQzETSgDJe9lB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1360	36f93a58940c8466cf4869f8396ed7aa.exe

Executes dropped EXE 1 IoCs

pid	Process
1360	36f93a58940c8466cf4869f8396ed7aa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5052	36f93a58940c8466cf4869f8396ed7aa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5052	36f93a58940c8466cf4869f8396ed7aa.exe
1360	36f93a58940c8466cf4869f8396ed7aa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1360	5052	36f93a58940c8466cf4869f8396ed7aa.exe	93
PID 5052 wrote to memory of 1360	5052	36f93a58940c8466cf4869f8396ed7aa.exe	93
PID 5052 wrote to memory of 1360	5052	36f93a58940c8466cf4869f8396ed7aa.exe	93

C:\Users\Admin\AppData\Local\Temp\36f93a58940c8466cf4869f8396ed7aa.exe
"C:\Users\Admin\AppData\Local\Temp\36f93a58940c8466cf4869f8396ed7aa.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\36f93a58940c8466cf4869f8396ed7aa.exe
  C:\Users\Admin\AppData\Local\Temp\36f93a58940c8466cf4869f8396ed7aa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36f93a58940c8466cf4869f8396ed7aa.exe

Filesize
385KB

MD5
f52d330499d8bc74d927b61d97b919ce

SHA1
10d4b70c3c63a9618624a4b6223a19d3d1560ccc

SHA256
18a72a25661e718fbce3db9d26de207111b7ae5b20b4943a9cf3fcd8bc28ea03

SHA512
46151767a0bb2952c71f9c5d5d2e636607ec4d1184d58aceb0875e3ba8b3816a386993f156ddbd2c97308aac704485521496de0dfef8a67f4521386d29bdf638

Download Submit
memory/1360-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1360-14-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/1360-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/1360-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1360-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1360-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5052-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5052-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/5052-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5052-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download