2d9b9cac17955f85aebd5c07d4861a5cadc514f12b55b7b93d86750566a50e74

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f820b3bb798d7cd796506cd0b103fae.exe
Size

771KB
MD5

1f820b3bb798d7cd796506cd0b103fae
SHA1

3e32cbc9bdb283bf2089d1617ebfd6554a29d784
SHA256

2d9b9cac17955f85aebd5c07d4861a5cadc514f12b55b7b93d86750566a50e74
SHA512

f101a9bdaaaa33c8353a14b7825eb8f169c06f4fce44cc4c4fc99bbe51dee432fd3e47374df493fd0490fa26aa5bc7ef0f1125a7bd7789018863d557bdc52285
SSDEEP

12288:8g9yEEpRvgH98q3YkiDbGrEjPzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:bCpRvgHD3pQbGrytvZWqEIz6qrfiTMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
512	1f820b3bb798d7cd796506cd0b103fae.exe

Executes dropped EXE 1 IoCs

pid	Process
512	1f820b3bb798d7cd796506cd0b103fae.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4148	1f820b3bb798d7cd796506cd0b103fae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4148	1f820b3bb798d7cd796506cd0b103fae.exe
512	1f820b3bb798d7cd796506cd0b103fae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 512	4148	1f820b3bb798d7cd796506cd0b103fae.exe	18
PID 4148 wrote to memory of 512	4148	1f820b3bb798d7cd796506cd0b103fae.exe	18
PID 4148 wrote to memory of 512	4148	1f820b3bb798d7cd796506cd0b103fae.exe	18

C:\Users\Admin\AppData\Local\Temp\1f820b3bb798d7cd796506cd0b103fae.exe
"C:\Users\Admin\AppData\Local\Temp\1f820b3bb798d7cd796506cd0b103fae.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\1f820b3bb798d7cd796506cd0b103fae.exe
  C:\Users\Admin\AppData\Local\Temp\1f820b3bb798d7cd796506cd0b103fae.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1f820b3bb798d7cd796506cd0b103fae.exe

Filesize
105KB

MD5
d0cbfeadb4213d9187b927e437f7fb05

SHA1
b200eadcd155b96d2acd17b99ea52d5bacee07e8

SHA256
803bf24f29949379ef92decec898fe7ec5b82ba538a7a440ea5bccc962a6033b

SHA512
b10b22a239e4db6dbd990bb5052c31a4d9627f32de1e722a297e9e32bfbd32b04f8a7824b82d090f7296e3222025bc473f90890265323febc0f6453065e91d28

Download Submit
memory/512-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/512-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/512-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/512-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/512-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/512-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/512-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4148-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4148-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4148-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4148-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download