0df447d366793178fb95a097c64c74b815f431c7ca68386854e4eebf66b4f46e

Analysis

max time kernel
130s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 06:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10d5c4e6628e6da50bfc3fe6bfddc48c.exe
Size

907KB
MD5

10d5c4e6628e6da50bfc3fe6bfddc48c
SHA1

788ee4932dbb0d69b00f541dbc7e5f3f60031956
SHA256

0df447d366793178fb95a097c64c74b815f431c7ca68386854e4eebf66b4f46e
SHA512

8d9c66f4d4ba700e1c0f5ba70d1710087cc06c3a64f92de39965b11cee242408721771b5604716435c48ecf7b2fe8de95c9cf55c4ad7cafac5fd65c609d94bb6
SSDEEP

24576:VVrQ7QpsYW64z43g9OBRmFBhHGeAxIxNZZOMblnQha/ZS1:rQ7QG64z43g9OfobHGTxIxNZcMggS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4672	10d5c4e6628e6da50bfc3fe6bfddc48c.exe

Executes dropped EXE 1 IoCs

pid	Process
4672	10d5c4e6628e6da50bfc3fe6bfddc48c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
740	10d5c4e6628e6da50bfc3fe6bfddc48c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
740	10d5c4e6628e6da50bfc3fe6bfddc48c.exe
4672	10d5c4e6628e6da50bfc3fe6bfddc48c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4672	740	10d5c4e6628e6da50bfc3fe6bfddc48c.exe	90
PID 740 wrote to memory of 4672	740	10d5c4e6628e6da50bfc3fe6bfddc48c.exe	90
PID 740 wrote to memory of 4672	740	10d5c4e6628e6da50bfc3fe6bfddc48c.exe	90

C:\Users\Admin\AppData\Local\Temp\10d5c4e6628e6da50bfc3fe6bfddc48c.exe
"C:\Users\Admin\AppData\Local\Temp\10d5c4e6628e6da50bfc3fe6bfddc48c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\10d5c4e6628e6da50bfc3fe6bfddc48c.exe
  C:\Users\Admin\AppData\Local\Temp\10d5c4e6628e6da50bfc3fe6bfddc48c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10d5c4e6628e6da50bfc3fe6bfddc48c.exe

Filesize
907KB

MD5
1456ef30d018eb899b2a9069bcf2c903

SHA1
d39aa6b6bf57c7d3471e3468177952890e4533be

SHA256
e4ae5fbce265972f2b4e7c71c4cbdd539706381be7c98721de67dde23c6f9196

SHA512
1867dc88809296aa7b6c8db64379288a4e1593d9d547c312b9509aebef0403a91e3f08c7d714e671e1b901f89365757185b759b6bc15ce9fbb16e7a8804315bf

Download Submit
memory/740-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/740-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/740-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/740-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4672-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4672-15-0x0000000001710000-0x00000000017F8000-memory.dmp

Filesize
928KB

Download
memory/4672-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4672-20-0x0000000005150000-0x000000000520B000-memory.dmp

Filesize
748KB

Download
memory/4672-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4672-32-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download