82b9dc60b9330e67d2145151c59f2115c41cb3f2479ce4ed54f23f1bbe6f4f3d

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe
Size

385KB
MD5

3f3ab5a1ef206c76fc9a84fa19aa7b8f
SHA1

6ff170d4e8c0e270b932c1568da9c84427cafc16
SHA256

82b9dc60b9330e67d2145151c59f2115c41cb3f2479ce4ed54f23f1bbe6f4f3d
SHA512

b96cb2a4ee7b86ddff787655142807306e7bb1102bdcdce776def23b5aeaac44d8af690e2f31fcbd23b51d997239f21fd07f180b322dfaa6ac8290c83418a7a9
SSDEEP

12288:z8OiD39miqm5eYVZvYp0xN+C6UNxpd935Ge6B:zyDZq6eQYON/6UlL35Ge6B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4552	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe

Executes dropped EXE 1 IoCs

pid	Process
4552	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3192	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3192	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe
4552	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4552	3192	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe	89
PID 3192 wrote to memory of 4552	3192	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe	89
PID 3192 wrote to memory of 4552	3192	3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe	89

C:\Users\Admin\AppData\Local\Temp\3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe
"C:\Users\Admin\AppData\Local\Temp\3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe
  C:\Users\Admin\AppData\Local\Temp\3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f3ab5a1ef206c76fc9a84fa19aa7b8f.exe

Filesize
385KB

MD5
2d5f2b890aac5af5b6628ad6c5a66268

SHA1
0cdc4c432f24293352d4b74bfc5469d57ae3f741

SHA256
550bb4fdd166604c831bd9d061a11dc8cb199a6fc533aa7c791adb9f530a9c93

SHA512
7b5818c77ea7328c0f2d5f6d024230d790f7bbba3f857d5e3bfbe776a6552cf8e8bd9cc9794715a2f7f3748e6eb4f36152200ee70c6bc04d9beab7d1b9fd3491

Download Submit
memory/3192-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3192-1-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/3192-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3192-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4552-15-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/4552-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4552-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/4552-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4552-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4552-33-0x000000000A6A0000-0x000000000A6DC000-memory.dmp

Filesize
240KB

Download
memory/4552-34-0x000000000A6A0000-0x000000000A6DC000-memory.dmp

Filesize
240KB

Download