Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
3ef1f5a985a26a50781d07c540ca18e2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3ef1f5a985a26a50781d07c540ca18e2.exe
Resource
win10v2004-20231215-en
General
-
Target
3ef1f5a985a26a50781d07c540ca18e2.exe
-
Size
385KB
-
MD5
3ef1f5a985a26a50781d07c540ca18e2
-
SHA1
c78fd117e3e290b912f81ce4432ccbb8b239cfb4
-
SHA256
f74e6c6e6d19a64254d74e98901144486d2e359fab4e21f818c7d4c72b7928db
-
SHA512
ad249534766feac1dc6dd1dd1668817517079966469391101624b847d0e99d6ea66257819f6377bf9364f65e7471222a03f58a4aa82ae23913b5c69093f71d8b
-
SSDEEP
6144:I4TRbGJpsJwue/Zfn3gtrqJcIKyrROQpo+E5KFT69Qv6l2OLwPDLTuPpPi8xysLB:9Rbmd3F9JhZFTSQv0fLaDXuPpryAB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2056 3ef1f5a985a26a50781d07c540ca18e2.exe -
Executes dropped EXE 1 IoCs
pid Process 2056 3ef1f5a985a26a50781d07c540ca18e2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4896 3ef1f5a985a26a50781d07c540ca18e2.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4896 3ef1f5a985a26a50781d07c540ca18e2.exe 2056 3ef1f5a985a26a50781d07c540ca18e2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4896 wrote to memory of 2056 4896 3ef1f5a985a26a50781d07c540ca18e2.exe 87 PID 4896 wrote to memory of 2056 4896 3ef1f5a985a26a50781d07c540ca18e2.exe 87 PID 4896 wrote to memory of 2056 4896 3ef1f5a985a26a50781d07c540ca18e2.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ef1f5a985a26a50781d07c540ca18e2.exe"C:\Users\Admin\AppData\Local\Temp\3ef1f5a985a26a50781d07c540ca18e2.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\3ef1f5a985a26a50781d07c540ca18e2.exeC:\Users\Admin\AppData\Local\Temp\3ef1f5a985a26a50781d07c540ca18e2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5fc16c2ba7ff0181c0fcd509c99608079
SHA17872de4780ea2f20caf360691ab3f28cb59c8b74
SHA2567953bcf1be12f71b81879f5ec132c8f0c1b82124e2834fcc7b62cb25933b076f
SHA5122153fcb7f3f3659b04bf92796eac653e852b65eb4c21051ac91289e959b25db24fecea67892def3c9f9afd326259007df044cf5381a24ff335da6405e3de74cc