974bb61c491902187c0e0d2037f304961ec8375fd9fd505d10ad90c3065ef3c7

Analysis

max time kernel
121s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6dd336119b57c898c3be2be1a7d76f.exe
Size

385KB
MD5

1a6dd336119b57c898c3be2be1a7d76f
SHA1

369367a33cce82765ecf71e0a354be7d430ab40e
SHA256

974bb61c491902187c0e0d2037f304961ec8375fd9fd505d10ad90c3065ef3c7
SHA512

9468271a5f752bb500044c591b155bd4a52ddcd91544089458bc6f050d5a7224d78a39b1681d019b4fa5f2a4d4733187aa6b311678b86dac64b6694338c4928a
SSDEEP

6144:FVM55e2wP/GVZU50PW5x8VnPb1IsvXXR4c/53uiyNK6I26WSSI3blR/9B:jMvsnKZU50ur8VnPaEXR4c/wP/mJXB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2112	1a6dd336119b57c898c3be2be1a7d76f.exe

Executes dropped EXE 1 IoCs

pid	Process
2112	1a6dd336119b57c898c3be2be1a7d76f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
884	1a6dd336119b57c898c3be2be1a7d76f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
884	1a6dd336119b57c898c3be2be1a7d76f.exe
2112	1a6dd336119b57c898c3be2be1a7d76f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2112	884	1a6dd336119b57c898c3be2be1a7d76f.exe	14
PID 884 wrote to memory of 2112	884	1a6dd336119b57c898c3be2be1a7d76f.exe	14
PID 884 wrote to memory of 2112	884	1a6dd336119b57c898c3be2be1a7d76f.exe	14

C:\Users\Admin\AppData\Local\Temp\1a6dd336119b57c898c3be2be1a7d76f.exe
C:\Users\Admin\AppData\Local\Temp\1a6dd336119b57c898c3be2be1a7d76f.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2112

C:\Users\Admin\AppData\Local\Temp\1a6dd336119b57c898c3be2be1a7d76f.exe
"C:\Users\Admin\AppData\Local\Temp\1a6dd336119b57c898c3be2be1a7d76f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/884-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/884-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/884-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2112-16-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/2112-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/2112-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2112-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2112-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/2112-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download