b90718d8bddbcc9b4acbbcc7b8732d0f7f424a065b29a78545a741636d1ee877

Analysis

max time kernel
4s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fb8238392f5620233751ecde4092b84.exe
Size

771KB
MD5

4fb8238392f5620233751ecde4092b84
SHA1

08bc114fff86109bbb4169ca4ac1eb770a9bf680
SHA256

b90718d8bddbcc9b4acbbcc7b8732d0f7f424a065b29a78545a741636d1ee877
SHA512

f3c29ed8755419781df04cc61f435e48c4079d478bc5a1bba81b58a00b60ace0deeddad2f09c8ddd95eb1582ccf4e652f34cc4203f989462d95dbd12b599ae8f
SSDEEP

24576:ixuoMBMIdW+xD0I6hRozTCPtb10hJaothZ2/T6FBBB:ixuoMBMIdt0I6hRKTKB/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	4fb8238392f5620233751ecde4092b84.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	4fb8238392f5620233751ecde4092b84.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	4fb8238392f5620233751ecde4092b84.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2004	4fb8238392f5620233751ecde4092b84.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2004	4fb8238392f5620233751ecde4092b84.exe
1932	4fb8238392f5620233751ecde4092b84.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1932	2004	4fb8238392f5620233751ecde4092b84.exe	16
PID 2004 wrote to memory of 1932	2004	4fb8238392f5620233751ecde4092b84.exe	16
PID 2004 wrote to memory of 1932	2004	4fb8238392f5620233751ecde4092b84.exe	16
PID 2004 wrote to memory of 1932	2004	4fb8238392f5620233751ecde4092b84.exe	16

C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1932

C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
"C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe

Filesize
13KB

MD5
ebf7dfd5b092be4aa6d60c582883dd31

SHA1
8d26a22a61ffb998f187da5af935bb1023b9a688

SHA256
1649c2d05c3c677b29e4fa58653ba019b42ac11525e0af7ad2cdb167e2902e80

SHA512
da5da506e1c61f34ec2887c77c827518ab364b23d894ad1d21bb61fc71d94dc84465ab5cdd3c771ac6d3511680f90deeba5f252be36e66c9a6d2759a5706c825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23FA.tmp

Filesize
22KB

MD5
a7d7cae1da39849f55d7eb414a334568

SHA1
99b14985176862765917c3e0895c01ae7de5297c

SHA256
0321e623c1cfe5d61afe1bb7841eeddf7a51036a3b38bcb0d827ac5e4af7756b

SHA512
ec73980cb92835db8e064538b7e12e0cf9a1a4d4deddbe22a0237409d04338d62570d10f15e669092c5683b75304313b1d4b11b90475913ec258a473e75e7792

Download Submit
\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe

Filesize
113KB

MD5
ad71c968c55378a0e374808dd2b4ea93

SHA1
0b0c30d3f4d420913e4d37a8bb9d150a0e91712a

SHA256
e6edd6a2f966d2bc196d774c6a3258f04b64cafd96ce9727ae6e6dcfb36fd1cd

SHA512
89cd7259e459ded41a1698777add54a4048f3e501f20bdad0c7c12640e82e4b6692088435357393aa0c57a94a575488a112cc97c8ef2b2be980df11a5d9ace7c

Download Submit
memory/1932-26-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/1932-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1932-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1932-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1932-88-0x0000000009620000-0x000000000965C000-memory.dmp

Filesize
240KB

Download
memory/1932-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2004-12-0x0000000003010000-0x0000000003076000-memory.dmp

Filesize
408KB

Download
memory/2004-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2004-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2004-3-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download