58df17947b682d9156417833793c8c41ce7dd6abd900475f6807dbb8a8293db3

Analysis

max time kernel
143s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1027d2467dd98d43ebc705340dfdef7d.exe
Size

385KB
MD5

1027d2467dd98d43ebc705340dfdef7d
SHA1

87d5d7d10f13a89babe6eec355ebfe4535263da5
SHA256

58df17947b682d9156417833793c8c41ce7dd6abd900475f6807dbb8a8293db3
SHA512

80d9e363c13144b323b1f8d6e37b87ff78c0f4c1deda990dd63bedd25f9b6cbbbe224193d58f2a6d32ad6d22bc7a3e0f7155d5e7b96c50d4bef58448a293776f
SSDEEP

12288:iK+7u4r2yt1GZ6bQvCYKnNuyDEjc1/OeSJ6Ri/jnUOamQVB:iE4ovbCMuB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
888	1027d2467dd98d43ebc705340dfdef7d.exe

Executes dropped EXE 1 IoCs

pid	Process
888	1027d2467dd98d43ebc705340dfdef7d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1844	1027d2467dd98d43ebc705340dfdef7d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1844	1027d2467dd98d43ebc705340dfdef7d.exe
888	1027d2467dd98d43ebc705340dfdef7d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 888	1844	1027d2467dd98d43ebc705340dfdef7d.exe	91
PID 1844 wrote to memory of 888	1844	1027d2467dd98d43ebc705340dfdef7d.exe	91
PID 1844 wrote to memory of 888	1844	1027d2467dd98d43ebc705340dfdef7d.exe	91

C:\Users\Admin\AppData\Local\Temp\1027d2467dd98d43ebc705340dfdef7d.exe
"C:\Users\Admin\AppData\Local\Temp\1027d2467dd98d43ebc705340dfdef7d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\1027d2467dd98d43ebc705340dfdef7d.exe
  C:\Users\Admin\AppData\Local\Temp\1027d2467dd98d43ebc705340dfdef7d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1027d2467dd98d43ebc705340dfdef7d.exe

Filesize
385KB

MD5
0783f53f39cb730fb96f193ffdd23da7

SHA1
7a1ef4163f2d0228b9ce776dc7681dc4a99e8a6f

SHA256
26621f31e5bc17735a2dcf46a5c95306e45c0196778967d170ff40eca9b9e109

SHA512
1af3cdf22df7fc9fa7bac7a110f30ce17ec6124c045f1998b49e25a4c5d0a3d8ee008866820f50ef9d321826e22f01e0d891762f7fd0f60f1a8db6d784627bf4

Download Submit
memory/888-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/888-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/888-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/888-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/888-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-33-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/888-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1844-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1844-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/1844-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1844-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download