6e0ae996a81e1859fe2a039edffa1bddd0194a15078eb1056314b57d99335167

Analysis

max time kernel
154s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd0536bbb58125a5006c1e597e7235f.exe
Size

385KB
MD5

1bd0536bbb58125a5006c1e597e7235f
SHA1

04bc46012d2bb992a812f493a1b33887fccd2ada
SHA256

6e0ae996a81e1859fe2a039edffa1bddd0194a15078eb1056314b57d99335167
SHA512

d37c18a8a35d9009ce073e6e060b0f333f2faa6da17e49f82803722d4d4e8b452842a37c9d098441115a2c42aa872a315dde08cef739927a7023a1753e00cbb4
SSDEEP

6144:stB5xZ694yiFHM5SnwozuW7YsIpsRP0cqU8NaNZomeLBXx/V5rP7PB:YBPZPyiC52qW7wpsJuUEwameLBZLB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5024	1bd0536bbb58125a5006c1e597e7235f.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	1bd0536bbb58125a5006c1e597e7235f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1996	1bd0536bbb58125a5006c1e597e7235f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1996	1bd0536bbb58125a5006c1e597e7235f.exe
5024	1bd0536bbb58125a5006c1e597e7235f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 5024	1996	1bd0536bbb58125a5006c1e597e7235f.exe	90
PID 1996 wrote to memory of 5024	1996	1bd0536bbb58125a5006c1e597e7235f.exe	90
PID 1996 wrote to memory of 5024	1996	1bd0536bbb58125a5006c1e597e7235f.exe	90

C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
"C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
  C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe

Filesize
385KB

MD5
107bf350590d7dbd1ea5817e34b617ce

SHA1
1e085b239c4897e780c63a4e7a9533dc89be96da

SHA256
1d532c6d64d23c3586e0276ecf0d5659963c8de8788ace565bd68b6f14e0add5

SHA512
94611ae5e5865564d4a59e8b16d298b396b14dc271ae5188efda360bb2e2c89aeaed80d69780f91c5ba51f0b407db91d96d4dce6fc84175ac951074b1eea7cec

Download Submit
memory/1996-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1996-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1996-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5024-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5024-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/5024-20-0x0000000001650000-0x00000000016AF000-memory.dmp

Filesize
380KB

Download
memory/5024-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5024-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/5024-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download