bb98df2d744ae2eee11980250629b3b8029e55e85df039c6dde2fa6b76ae07b1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cede8dcc9a492af7f11d54c94a0c4fb.exe
Size

385KB
MD5

7cede8dcc9a492af7f11d54c94a0c4fb
SHA1

f1a7ac54cd130860e8d41d805f6b9c1fd5051993
SHA256

bb98df2d744ae2eee11980250629b3b8029e55e85df039c6dde2fa6b76ae07b1
SHA512

ba09453957512a3a9733a37eef8821eb32bb0bf660c19d192a7a1aca501994f252cf4483974ce66949024926915e88b39a721bd99a9bcef9eff4a03c8501f258
SSDEEP

6144:hrxH3/KhZ1Z/uOEdhIhH1Ktkq5LjNFYv6FiZzlp8bFWIQ76vw5nA1RL8d+HLrlB:hxXyhZf/uJ8VKy20uiZx6An4B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	7cede8dcc9a492af7f11d54c94a0c4fb.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	7cede8dcc9a492af7f11d54c94a0c4fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1836	7cede8dcc9a492af7f11d54c94a0c4fb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1836	7cede8dcc9a492af7f11d54c94a0c4fb.exe
2452	7cede8dcc9a492af7f11d54c94a0c4fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2452	1836	7cede8dcc9a492af7f11d54c94a0c4fb.exe	91
PID 1836 wrote to memory of 2452	1836	7cede8dcc9a492af7f11d54c94a0c4fb.exe	91
PID 1836 wrote to memory of 2452	1836	7cede8dcc9a492af7f11d54c94a0c4fb.exe	91

C:\Users\Admin\AppData\Local\Temp\7cede8dcc9a492af7f11d54c94a0c4fb.exe
"C:\Users\Admin\AppData\Local\Temp\7cede8dcc9a492af7f11d54c94a0c4fb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\7cede8dcc9a492af7f11d54c94a0c4fb.exe
  C:\Users\Admin\AppData\Local\Temp\7cede8dcc9a492af7f11d54c94a0c4fb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7cede8dcc9a492af7f11d54c94a0c4fb.exe

Filesize
385KB

MD5
68f129a317a7f5b4dd64653705af5ad9

SHA1
89ec9248eb06e19f8c3c3281ecbc0a3bb56b87c7

SHA256
6ee63ee9edaf0140d86142b30f8d01236753c919c7a109f80d44fbc11a28832c

SHA512
16e2565665f8d0949d83be231afe6086ba4efb3a739b76edb3949a19e5c90f20e3bb1d19877dc4d42f16d482e5ea54dd790ba5207a69c0d6e73b68a04f861320

Download Submit
memory/1836-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1836-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1836-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1836-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2452-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2452-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/2452-13-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/2452-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-36-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2452-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2452-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2452-37-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download