ce89bcaf4a585ef8989af3c72e9a0fbb8b2b1d5bff3dbb1e13f61a10b71b7c0e

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1431589c47df9738e39ea1314018a61c.exe
Size

385KB
MD5

1431589c47df9738e39ea1314018a61c
SHA1

378386012f4ce70e2c2eac67441a92bed4366ff1
SHA256

ce89bcaf4a585ef8989af3c72e9a0fbb8b2b1d5bff3dbb1e13f61a10b71b7c0e
SHA512

809e0503cf40385c3e09517d72601ea3cf303f64ea7d10e4bbb4f686803e6b1ac32a85172681ab339b8ba4f8a6b05f31dd821650958552c8239b6f0e40c367e4
SSDEEP

6144:+Lew6c/q/h3KMKCw+nbzVz6JGoBJITbrpQOZU0isZ9D7atT/FyB:+Lew6Y9C5VzwBJITbr6OZ4SD7atLcB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1896	1431589c47df9738e39ea1314018a61c.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	1431589c47df9738e39ea1314018a61c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4508	1431589c47df9738e39ea1314018a61c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4508	1431589c47df9738e39ea1314018a61c.exe
1896	1431589c47df9738e39ea1314018a61c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1896	4508	1431589c47df9738e39ea1314018a61c.exe	16
PID 4508 wrote to memory of 1896	4508	1431589c47df9738e39ea1314018a61c.exe	16
PID 4508 wrote to memory of 1896	4508	1431589c47df9738e39ea1314018a61c.exe	16

C:\Users\Admin\AppData\Local\Temp\1431589c47df9738e39ea1314018a61c.exe
"C:\Users\Admin\AppData\Local\Temp\1431589c47df9738e39ea1314018a61c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\1431589c47df9738e39ea1314018a61c.exe
  C:\Users\Admin\AppData\Local\Temp\1431589c47df9738e39ea1314018a61c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431589c47df9738e39ea1314018a61c.exe

Filesize
93KB

MD5
2f81b1bc2db835d39aa0cbdf52d8ffe1

SHA1
18394b6be92afb0ca286cd58b7bb6971bb080078

SHA256
390996d0601d37632bc33af6ae3585008fd09aec992a593775f612a6d87a1789

SHA512
42a969c8226b0ef6aed426b211a0f662e92bff7ee4e600db0c6a8139cdba3987910c81d5e48ac62f7453f780434d27af66aceca2ea03c4a8727d622243a7c980

Download Submit
memory/1896-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1896-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1896-16-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/1896-38-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/1896-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4508-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4508-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4508-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4508-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download