e4a6d5144bbce52f075c573049032301e5ee3d8f7b6554efc37047b8b1390e3d

Analysis

max time kernel
203s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cad4deae161bc7a2fd1a80a49f92758.exe
Size

907KB
MD5

1cad4deae161bc7a2fd1a80a49f92758
SHA1

131983ca8416c931d1f3fd20350f8f4edd213099
SHA256

e4a6d5144bbce52f075c573049032301e5ee3d8f7b6554efc37047b8b1390e3d
SHA512

ad280076cecbef8148c7b68fd2dd217ee5bbc4684414d146f5c2cd5b2b0be2366c50cf6b1d4fdf1286b637d3d5cd48e6abd971619fde8db683e2486c2637d9b1
SSDEEP

24576:XVhrtfbw9wSEnZz/8SQU/kHNy47MdpjldFa/ZS1:lhrdwySEnJC3y4QjldFgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3552	1cad4deae161bc7a2fd1a80a49f92758.exe

Executes dropped EXE 1 IoCs

pid	Process
3552	1cad4deae161bc7a2fd1a80a49f92758.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
748	1cad4deae161bc7a2fd1a80a49f92758.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
748	1cad4deae161bc7a2fd1a80a49f92758.exe
3552	1cad4deae161bc7a2fd1a80a49f92758.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3552	748	1cad4deae161bc7a2fd1a80a49f92758.exe	91
PID 748 wrote to memory of 3552	748	1cad4deae161bc7a2fd1a80a49f92758.exe	91
PID 748 wrote to memory of 3552	748	1cad4deae161bc7a2fd1a80a49f92758.exe	91

C:\Users\Admin\AppData\Local\Temp\1cad4deae161bc7a2fd1a80a49f92758.exe
"C:\Users\Admin\AppData\Local\Temp\1cad4deae161bc7a2fd1a80a49f92758.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\1cad4deae161bc7a2fd1a80a49f92758.exe
  C:\Users\Admin\AppData\Local\Temp\1cad4deae161bc7a2fd1a80a49f92758.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1cad4deae161bc7a2fd1a80a49f92758.exe

Filesize
907KB

MD5
e528eddbcd0aa5b782d719490241bb99

SHA1
9fbba5ca3fd30eb527d52d88ce1d43557656f615

SHA256
2050b75506c9aecc131022e63f6d7284104f73f245ebd8623dc9f628314493a6

SHA512
3e6a83b9b281b6c206fd458599b7c3038c855743c0a8287fe88a8f94f9fb2a437416708af9e0a80b1b5afc5f05ab0848d355804cfa71a75d6e7ad02f9f1ea74d

Download Submit
memory/748-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/748-1-0x00000000017A0000-0x0000000001888000-memory.dmp

Filesize
928KB

Download
memory/748-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/748-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3552-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3552-16-0x0000000001750000-0x0000000001838000-memory.dmp

Filesize
928KB

Download
memory/3552-20-0x0000000005110000-0x00000000051CB000-memory.dmp

Filesize
748KB

Download
memory/3552-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3552-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download