847fb0842681a461bc0520fed8f7e61caaf9aac38691d325543432bae036a972

Analysis

max time kernel
145s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50d8804cf3b2099aba8eda90c72a0791.exe
Size

907KB
MD5

50d8804cf3b2099aba8eda90c72a0791
SHA1

ab4a2703809224b25cf92e7a934ad7bc08d29cb7
SHA256

847fb0842681a461bc0520fed8f7e61caaf9aac38691d325543432bae036a972
SHA512

ae9149e8b39b967f95f3b12e978a723a1ca842efdabe1164e4404372ce76f4f157d5a90a67aa2834842cb793e668007978dc98a6417a516ec5473f9110b2e1d0
SSDEEP

24576:/71YPOLZHeyPK0DjXE5RllwfInpo3aezzGBa/ZS1:/gAHLzv6ueuaeziBgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4456	50d8804cf3b2099aba8eda90c72a0791.exe

Executes dropped EXE 1 IoCs

pid	Process
4456	50d8804cf3b2099aba8eda90c72a0791.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1528	50d8804cf3b2099aba8eda90c72a0791.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1528	50d8804cf3b2099aba8eda90c72a0791.exe
4456	50d8804cf3b2099aba8eda90c72a0791.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4456	1528	50d8804cf3b2099aba8eda90c72a0791.exe	18
PID 1528 wrote to memory of 4456	1528	50d8804cf3b2099aba8eda90c72a0791.exe	18
PID 1528 wrote to memory of 4456	1528	50d8804cf3b2099aba8eda90c72a0791.exe	18

C:\Users\Admin\AppData\Local\Temp\50d8804cf3b2099aba8eda90c72a0791.exe
"C:\Users\Admin\AppData\Local\Temp\50d8804cf3b2099aba8eda90c72a0791.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\50d8804cf3b2099aba8eda90c72a0791.exe
  C:\Users\Admin\AppData\Local\Temp\50d8804cf3b2099aba8eda90c72a0791.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1528-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1528-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/1528-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4456-16-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/4456-21-0x00000000050F0000-0x00000000051AB000-memory.dmp

Filesize
748KB

Download
memory/4456-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4456-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4456-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/4456-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download