aede44db6447287c88450d6dd1cd142a8737f641f9dd46b5290c991ec0caa5d8

Analysis

max time kernel
1s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7d088afd8d2b93c003ba513b8a5534.exe
Size

385KB
MD5

3f7d088afd8d2b93c003ba513b8a5534
SHA1

184f868394acec1091e84caf7894c43b8689de47
SHA256

aede44db6447287c88450d6dd1cd142a8737f641f9dd46b5290c991ec0caa5d8
SHA512

c9cfd60e95e9974e023ee1902763d324a94fa51b83e76a0b58720dc676bffc691e7a7900633daa36d724d82ec69e5b38e79fba1f2bc5d162d06c1c6fc3928d22
SSDEEP

6144:oiXanJgmNb+8DyVCyhf6EO0tj5Gq7E4Tv2f+/fWbBXBWhAZG8r90/lQ1fagB:oiXal+lhhf40tj55vU+mXtZGB/eB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	3f7d088afd8d2b93c003ba513b8a5534.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	3f7d088afd8d2b93c003ba513b8a5534.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	3f7d088afd8d2b93c003ba513b8a5534.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2420	3f7d088afd8d2b93c003ba513b8a5534.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2420	3f7d088afd8d2b93c003ba513b8a5534.exe
2664	3f7d088afd8d2b93c003ba513b8a5534.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2664	2420	3f7d088afd8d2b93c003ba513b8a5534.exe	16
PID 2420 wrote to memory of 2664	2420	3f7d088afd8d2b93c003ba513b8a5534.exe	16
PID 2420 wrote to memory of 2664	2420	3f7d088afd8d2b93c003ba513b8a5534.exe	16
PID 2420 wrote to memory of 2664	2420	3f7d088afd8d2b93c003ba513b8a5534.exe	16

C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe
"C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe
  C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-1-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2420-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2420-16-0x0000000002E00000-0x0000000002E66000-memory.dmp

Filesize
408KB

Download
memory/2420-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2420-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2664-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2664-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-29-0x00000000002D0000-0x000000000032F000-memory.dmp

Filesize
380KB

Download
memory/2664-21-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2664-83-0x000000000A610000-0x000000000A64C000-memory.dmp

Filesize
240KB

Download
memory/2664-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2664-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2664-84-0x000000000A610000-0x000000000A64C000-memory.dmp

Filesize
240KB

Download