427a0b3afda1ffd1e88c84abd443c594ca1c2478b3a48f9347afdf87e2039f65

Analysis

max time kernel
127s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19a01985cb0df7732e9f1bb115a5caea.exe
Size

385KB
MD5

19a01985cb0df7732e9f1bb115a5caea
SHA1

cff69c90814ce1c2eecf2708c931a14f7758d557
SHA256

427a0b3afda1ffd1e88c84abd443c594ca1c2478b3a48f9347afdf87e2039f65
SHA512

0555fa76eafcaae454119780ec643cfec1f03aaa12a8f375f3f41cb06ef1a84e25bc3ce6075615b30962ef9882c98a471eb79fae6469a32afa5027c96fa52392
SSDEEP

6144:u/MtwMdkRfhkZGNds3+781eb4V5i1yfmsBuTNfjbvbMNsKGTGqsk/llOo5B:u0tbMgt3QLb85eyfFwNf3vjsktkKB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3160	19a01985cb0df7732e9f1bb115a5caea.exe

Executes dropped EXE 1 IoCs

pid	Process
3160	19a01985cb0df7732e9f1bb115a5caea.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4656	19a01985cb0df7732e9f1bb115a5caea.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4656	19a01985cb0df7732e9f1bb115a5caea.exe
3160	19a01985cb0df7732e9f1bb115a5caea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3160	4656	19a01985cb0df7732e9f1bb115a5caea.exe	18
PID 4656 wrote to memory of 3160	4656	19a01985cb0df7732e9f1bb115a5caea.exe	18
PID 4656 wrote to memory of 3160	4656	19a01985cb0df7732e9f1bb115a5caea.exe	18

C:\Users\Admin\AppData\Local\Temp\19a01985cb0df7732e9f1bb115a5caea.exe
"C:\Users\Admin\AppData\Local\Temp\19a01985cb0df7732e9f1bb115a5caea.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\19a01985cb0df7732e9f1bb115a5caea.exe
  C:\Users\Admin\AppData\Local\Temp\19a01985cb0df7732e9f1bb115a5caea.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19a01985cb0df7732e9f1bb115a5caea.exe

Filesize
385KB

MD5
1e4073c4b1211e701cf0409416330296

SHA1
abf9485753f4f18a686bc6e6865295a6b1924ce7

SHA256
69117a33b2b02660f55b9e73b7e9e57b69b50d5b24f2822076ae2a7a26db4a98

SHA512
793cefd68dc2d19dea925238856a550d9968229f95a8059593887470f1482fc372d7454d8a8d82e05684ab02aaa6aacd1ca59f5dfab900a75f37a5777890d975

Download Submit
memory/3160-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3160-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/3160-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3160-17-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3160-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3160-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3160-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4656-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4656-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4656-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4656-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download