8b154e690b2b3f0e46c13e569090cd3ad4c8fa43bb6a67cd949ef5d94344ed01

Analysis

max time kernel
145s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:05

Target

IHC.exe
Size

11.5MB
MD5

563cbeceb23075f3889e51f995a59f12
SHA1

ae7aa3f654936cee7ebb51ec427fdb1029581d54
SHA256

8b154e690b2b3f0e46c13e569090cd3ad4c8fa43bb6a67cd949ef5d94344ed01
SHA512

bda309ddd05a155904c4d9bbd738dde90da71332bad79b3e708bf8475041cfb541480dedbaab2abc01c219227b0e5e68f4a648f3467975602b189b1a23b14f06
SSDEEP

98304:ITY7kZkyoUGF1UEnGS4x30h+SOgM9CZkSfp9p4IssgLllc:Ujk5nc3k+1u+ueIHgL3

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 5012	4772	IHC.exe	91
PID 4772 wrote to memory of 5012	4772	IHC.exe	91
PID 4772 wrote to memory of 3944	4772	IHC.exe	92
PID 4772 wrote to memory of 3944	4772	IHC.exe	92

C:\Users\Admin\AppData\Local\Temp\IHC.exe
"C:\Users\Admin\AppData\Local\Temp\IHC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\cmd.exe
  cmd /c cls
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  cmd /c cls
  2⤵
  PID:3944

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact