81980677d5899b1229417a23fc002ef7f2cf1ea9f0d3788e0368e3104d8a3e29

Analysis

max time kernel
141s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22597a63f41ed1ee48be6e38596a8312.exe
Size

385KB
MD5

22597a63f41ed1ee48be6e38596a8312
SHA1

394c25b8bbe0895f082f8c445b1b840f8c47113a
SHA256

81980677d5899b1229417a23fc002ef7f2cf1ea9f0d3788e0368e3104d8a3e29
SHA512

d4f3d27611c5f70f9e42d0bd4c56eb29e20c9fffec5377799df48a770edebebe068bfbf22b3e3ce103a17d5cd96b79f3df1cb1334051e42c7ccdf27b3c40e68e
SSDEEP

6144:GJNEq4kAz5jDt64kqM+TIUOK3KEDHHBduqtrU7u5ah3fnXfMq2Sxu2+htDQgDB:GTEqfijhBkUWK3KETHvuJfXEAqt8eB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4636	22597a63f41ed1ee48be6e38596a8312.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	22597a63f41ed1ee48be6e38596a8312.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3560	22597a63f41ed1ee48be6e38596a8312.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3560	22597a63f41ed1ee48be6e38596a8312.exe
4636	22597a63f41ed1ee48be6e38596a8312.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4636	3560	22597a63f41ed1ee48be6e38596a8312.exe	90
PID 3560 wrote to memory of 4636	3560	22597a63f41ed1ee48be6e38596a8312.exe	90
PID 3560 wrote to memory of 4636	3560	22597a63f41ed1ee48be6e38596a8312.exe	90

C:\Users\Admin\AppData\Local\Temp\22597a63f41ed1ee48be6e38596a8312.exe
"C:\Users\Admin\AppData\Local\Temp\22597a63f41ed1ee48be6e38596a8312.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\22597a63f41ed1ee48be6e38596a8312.exe
  C:\Users\Admin\AppData\Local\Temp\22597a63f41ed1ee48be6e38596a8312.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22597a63f41ed1ee48be6e38596a8312.exe

Filesize
385KB

MD5
1bb9d61ad9d0cdaf390cbf8bd42414c6

SHA1
3c2a532f1860f39b29120334983b78d746667f64

SHA256
20be6fbfd53154d45dbd1adf47a593d90ba5e8507c5c85ea33e5f29b902dd132

SHA512
fa30971fb0298853d9e3a6956c7652470359fe53d37451305db83810f97679cb410cd2edd4c061c12e484bf6e282fca9e0c56340bc980b5879c42ed2f4f45453

Download Submit
memory/3560-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3560-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/3560-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3560-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4636-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4636-15-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4636-21-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/4636-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4636-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4636-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4636-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download