cb99f6e69cfe33adebabfd640133f6f2b08080dec950a6bb3831cd37c474acda

Analysis

max time kernel
191s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 09:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1463ef5a8ae514f282d7f6354a23caa7.exe
Size

385KB
MD5

1463ef5a8ae514f282d7f6354a23caa7
SHA1

f9d5cf55df189ebf446b09e0313128787918b0cb
SHA256

cb99f6e69cfe33adebabfd640133f6f2b08080dec950a6bb3831cd37c474acda
SHA512

a69fce8b8500f2fbe3c754959018b8eb303a556fc36dcf016edf5e23561cc3959a910db06fe782a25b2893508b8fc2c464c7cc79e9d3449c749ca6abba8dc46c
SSDEEP

6144:DmWGMuzfhFsYnIPC05KFXaMfBruJ6Y77ytHQ9gHtIr6WXH+BkSbeDvKnfjB:SWGlzf0YbC6ZuJX7ytHGWDEvKfjB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4920	1463ef5a8ae514f282d7f6354a23caa7.exe

Executes dropped EXE 1 IoCs

pid	Process
4920	1463ef5a8ae514f282d7f6354a23caa7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4060	1463ef5a8ae514f282d7f6354a23caa7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4060	1463ef5a8ae514f282d7f6354a23caa7.exe
4920	1463ef5a8ae514f282d7f6354a23caa7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4920	4060	1463ef5a8ae514f282d7f6354a23caa7.exe	91
PID 4060 wrote to memory of 4920	4060	1463ef5a8ae514f282d7f6354a23caa7.exe	91
PID 4060 wrote to memory of 4920	4060	1463ef5a8ae514f282d7f6354a23caa7.exe	91

C:\Users\Admin\AppData\Local\Temp\1463ef5a8ae514f282d7f6354a23caa7.exe
"C:\Users\Admin\AppData\Local\Temp\1463ef5a8ae514f282d7f6354a23caa7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\1463ef5a8ae514f282d7f6354a23caa7.exe
  C:\Users\Admin\AppData\Local\Temp\1463ef5a8ae514f282d7f6354a23caa7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1463ef5a8ae514f282d7f6354a23caa7.exe

Filesize
82KB

MD5
f5279005948cdf41ae00d21f69ef7927

SHA1
837f8122e1ce34044389b590b0d1d24c0877630c

SHA256
8d440794ff047b5b41efa9021b9b03f1dc96713d73be6d7b49026dc6304a2d75

SHA512
173c3078afe9b74c430b150e7811d21e055e3572ab707b4c8c54454b21b077816b413d69584deed2697260a29fe66593d921af385ee429d3a7a9df03ad7b2ab6

Download Submit
memory/4060-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4060-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4060-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4060-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4920-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4920-19-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/4920-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/4920-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4920-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4920-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download