20a96de56822c2365557809a785bff662b21e552cdfcc6ce1a090e78dffe8c47

Analysis

max time kernel
163s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c3a8de48dc3f4e251d7df501b848e3.exe
Size

385KB
MD5

37c3a8de48dc3f4e251d7df501b848e3
SHA1

f76ab69209e432bc4fc5108a933205230002d2f8
SHA256

20a96de56822c2365557809a785bff662b21e552cdfcc6ce1a090e78dffe8c47
SHA512

64a17db3c1ccee0ba0964b2d99df702124e854938b330f472194a7e63b6b3ddd1f67a79db44f9baf4c5cd153105481236f7e403990cdf12a1308849a52360e69
SSDEEP

12288:j8adAbs4k9SzifoyCAGT1acB/sx2tQm8XDOHSMdT86oB:AHkdfoAk1acBPQm8GS0T86oB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2172	37c3a8de48dc3f4e251d7df501b848e3.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	37c3a8de48dc3f4e251d7df501b848e3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1944	37c3a8de48dc3f4e251d7df501b848e3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1944	37c3a8de48dc3f4e251d7df501b848e3.exe
2172	37c3a8de48dc3f4e251d7df501b848e3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2172	1944	37c3a8de48dc3f4e251d7df501b848e3.exe	91
PID 1944 wrote to memory of 2172	1944	37c3a8de48dc3f4e251d7df501b848e3.exe	91
PID 1944 wrote to memory of 2172	1944	37c3a8de48dc3f4e251d7df501b848e3.exe	91

C:\Users\Admin\AppData\Local\Temp\37c3a8de48dc3f4e251d7df501b848e3.exe
"C:\Users\Admin\AppData\Local\Temp\37c3a8de48dc3f4e251d7df501b848e3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\37c3a8de48dc3f4e251d7df501b848e3.exe
  C:\Users\Admin\AppData\Local\Temp\37c3a8de48dc3f4e251d7df501b848e3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37c3a8de48dc3f4e251d7df501b848e3.exe

Filesize
385KB

MD5
fadc62d4d7bb9fdd615106c31e0fcea5

SHA1
73ed9ca4022f43da2a98ce592aeeb4baaa16afa3

SHA256
b2d05fa7f633253ca7ae6f225a2a4d19f26dd77b66348ac9075b51ade2592635

SHA512
e1a6fcf421ea94e67e65d40d6d71961e0fa65c2754ca381fd084e4beead2a6788caf88a70d4edd75454322c70d44d713cdb9c479aaf6a0dff015c66fc35b784c

Download Submit
memory/1944-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1944-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/1944-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1944-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2172-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-14-0x0000000001640000-0x00000000016A6000-memory.dmp

Filesize
408KB

Download
memory/2172-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/2172-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2172-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2172-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/2172-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download