9bc4c94c2fb4893950673f27f418b4f3f0902c6c09e9a2c63990ec65b9c21db3

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1673d99c01640667dabb5964ddaa88f5.exe
Size

385KB
MD5

1673d99c01640667dabb5964ddaa88f5
SHA1

d0b65c6c60bf45362a4eb2814e816457584ea701
SHA256

9bc4c94c2fb4893950673f27f418b4f3f0902c6c09e9a2c63990ec65b9c21db3
SHA512

7b6763150eb0c1a8516cdc3a6a753cbb3550a9ceee9479814e2ea8578589fae3a89dd469a206645c5f18b04c5158b0884977824d5b2008a344e0df9281ce6871
SSDEEP

6144:88XRJ/r6vYTAABokMmPFwJzNUvIzLev66YvdkkSWwWjEB:lXRJ/r6wZBlP2JzNUAzLe/YmkfQB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4816	1673d99c01640667dabb5964ddaa88f5.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	1673d99c01640667dabb5964ddaa88f5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1976	1673d99c01640667dabb5964ddaa88f5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1976	1673d99c01640667dabb5964ddaa88f5.exe
4816	1673d99c01640667dabb5964ddaa88f5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4816	1976	1673d99c01640667dabb5964ddaa88f5.exe	91
PID 1976 wrote to memory of 4816	1976	1673d99c01640667dabb5964ddaa88f5.exe	91
PID 1976 wrote to memory of 4816	1976	1673d99c01640667dabb5964ddaa88f5.exe	91

C:\Users\Admin\AppData\Local\Temp\1673d99c01640667dabb5964ddaa88f5.exe
"C:\Users\Admin\AppData\Local\Temp\1673d99c01640667dabb5964ddaa88f5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\1673d99c01640667dabb5964ddaa88f5.exe
  C:\Users\Admin\AppData\Local\Temp\1673d99c01640667dabb5964ddaa88f5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1673d99c01640667dabb5964ddaa88f5.exe

Filesize
385KB

MD5
f05b5836e7b9cfa35dc12587247307ed

SHA1
025990d8c1aedeb1f5ce3d534604d2e317893fc7

SHA256
66bfa487afd229c43a20061f5cb2af2939cd67c1468a33a28991a19773898970

SHA512
2cdce1ec18a76c1407b414345cdba143a1b6defe168ba6449df731b6e9e5fde1d6bcf2723fda708e5c0fdf7057393b54f537fda5718d693a665c06f027d5a75f

Download Submit
memory/1976-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/1976-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1976-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4816-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4816-15-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/4816-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4816-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4816-35-0x000000000B700000-0x000000000B73C000-memory.dmp

Filesize
240KB

Download
memory/4816-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download