a4b0bc18733c1f407ff47f492d3f9c14b19e336f9b49b7984e947923df04283a

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0c097bb30396d26b3cfa4d06da47fb.exe
Size

385KB
MD5

3b0c097bb30396d26b3cfa4d06da47fb
SHA1

90db119e3986bf32d71619d89494bdee0007c116
SHA256

a4b0bc18733c1f407ff47f492d3f9c14b19e336f9b49b7984e947923df04283a
SHA512

86216f22b380a3e3e5a364180e7c749208c2035b87663ffd039039cd20c0e78f8e644f199c4689ccce367df42be68eecbd7fbece2cb510c425c1b880cb67ec1d
SSDEEP

12288:vgR27WNZF9zKakxUmRklPX4I7xjtgmaCVbAHUsJNB:vNaNZF9wUmihD70makbAH/bB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1896	3b0c097bb30396d26b3cfa4d06da47fb.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	3b0c097bb30396d26b3cfa4d06da47fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4732	3b0c097bb30396d26b3cfa4d06da47fb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4732	3b0c097bb30396d26b3cfa4d06da47fb.exe
1896	3b0c097bb30396d26b3cfa4d06da47fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1896	4732	3b0c097bb30396d26b3cfa4d06da47fb.exe	89
PID 4732 wrote to memory of 1896	4732	3b0c097bb30396d26b3cfa4d06da47fb.exe	89
PID 4732 wrote to memory of 1896	4732	3b0c097bb30396d26b3cfa4d06da47fb.exe	89

C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe
"C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe
  C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe

Filesize
385KB

MD5
4d76c81452545885f8d031eaae6aa7c6

SHA1
3e5ca7f3ef04aca69804b5fe9554f31ad42c185d

SHA256
ae78517393c71e8bbd6494ac5c5b8554adb968f995b2a7fe5f7f0a86eadfc78b

SHA512
9363f288e67f1d92424e68034086584c42e1c95e59cbdccbc6cfb9b6e1881874c7d211e095c4ad97926548cc6c7df60df6927bcd5c2dbe63c5122d5decb33ce3

Download Submit
memory/1896-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1896-16-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/1896-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/1896-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1896-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4732-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4732-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4732-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download