646cc9913f23b96c181513a2c4f702a4e8cc74c7ec556c40597dbdc86d694740

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d4a6de11ef378c5037e6f633f779e09.exe
Size

385KB
MD5

0d4a6de11ef378c5037e6f633f779e09
SHA1

2fff72d3c271d068de1b9ee5c9c73e93e9ef9534
SHA256

646cc9913f23b96c181513a2c4f702a4e8cc74c7ec556c40597dbdc86d694740
SHA512

3aaa94e784e15464224a6860d00d850b682d264097c6156bbd67b2b2143616e2144e2abc6a1284af0d90b8d80f2508bbd1c4bffb1aebf7424b83bafa3e18d760
SSDEEP

6144:lb8q3/aoLr1HcL4qBPOSCSM6WPjIUQsUc5M4dfiwEe7YSXZHtm4uwumoaBUslnep:zaoLrVctP46WPjIPsUc5btF1HXZpdnCB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2020	0d4a6de11ef378c5037e6f633f779e09.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	0d4a6de11ef378c5037e6f633f779e09.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4236	0d4a6de11ef378c5037e6f633f779e09.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4236	0d4a6de11ef378c5037e6f633f779e09.exe
2020	0d4a6de11ef378c5037e6f633f779e09.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2020	4236	0d4a6de11ef378c5037e6f633f779e09.exe	91
PID 4236 wrote to memory of 2020	4236	0d4a6de11ef378c5037e6f633f779e09.exe	91
PID 4236 wrote to memory of 2020	4236	0d4a6de11ef378c5037e6f633f779e09.exe	91

C:\Users\Admin\AppData\Local\Temp\0d4a6de11ef378c5037e6f633f779e09.exe
"C:\Users\Admin\AppData\Local\Temp\0d4a6de11ef378c5037e6f633f779e09.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\0d4a6de11ef378c5037e6f633f779e09.exe
  C:\Users\Admin\AppData\Local\Temp\0d4a6de11ef378c5037e6f633f779e09.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d4a6de11ef378c5037e6f633f779e09.exe

Filesize
385KB

MD5
8c2e4fd990e2f6c235fca1ee34b12563

SHA1
794e0d2f6e9659ee72a9c27339ec32234f2fed61

SHA256
2a072ef602afc723d012de434e908f4ffdbf31a5216afbdbbbb2d1d9c3237c6e

SHA512
25912d9caad6d34d77add94b1d38a0fdf633612055b708c17de42615f7f3595b0a6b484c113860bf840607d2a24ab68ea5253959d887805fcee8156cef6f0796

Download Submit
memory/2020-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2020-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2020-21-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/2020-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2020-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2020-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2020-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4236-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4236-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/4236-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4236-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download