4e8ec4961e1441f6b5c17da3c88076156d9b32044ef797c80ef3fd62674b3fd0

Analysis

max time kernel
146s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23792614725d474b19cf580fb12c7129.exe
Size

385KB
MD5

23792614725d474b19cf580fb12c7129
SHA1

3f8e9bf15fc31c4a1d16f0902cfb70c6be1917c2
SHA256

4e8ec4961e1441f6b5c17da3c88076156d9b32044ef797c80ef3fd62674b3fd0
SHA512

0f647b9ef151046f87e8b6839aa5101c17d4244019f7b29a1da747a840b6303366865811b0417a656c7dd872fea23fdd957e79d3976b53d2371ee29b339311d9
SSDEEP

6144:kzX+MeCzXWZaEQZC4P86goKSyA0avlBkNAB2EyMIlojgUuZtxrZQSdxHB:oumCpQ44hghBAdvlBkNAgEwoj2Ztxr/B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	23792614725d474b19cf580fb12c7129.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	23792614725d474b19cf580fb12c7129.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	23792614725d474b19cf580fb12c7129.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2808	23792614725d474b19cf580fb12c7129.exe
1900	23792614725d474b19cf580fb12c7129.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1900	2808	23792614725d474b19cf580fb12c7129.exe	88
PID 2808 wrote to memory of 1900	2808	23792614725d474b19cf580fb12c7129.exe	88
PID 2808 wrote to memory of 1900	2808	23792614725d474b19cf580fb12c7129.exe	88

C:\Users\Admin\AppData\Local\Temp\23792614725d474b19cf580fb12c7129.exe
"C:\Users\Admin\AppData\Local\Temp\23792614725d474b19cf580fb12c7129.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\23792614725d474b19cf580fb12c7129.exe
  C:\Users\Admin\AppData\Local\Temp\23792614725d474b19cf580fb12c7129.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23792614725d474b19cf580fb12c7129.exe

Filesize
385KB

MD5
e3bac9474deaa0d7d0c33996c34ad105

SHA1
c2646a02180b1e6e6229eec8cfa49cac2c38485d

SHA256
7e4b668360341bc01a1f7455d9c431a18b25cc56c9480a1788d4bc04d320dc10

SHA512
0cb2e981f6f4d432befebdc89c741ee809b7d14bf0c703f3a338d744a6109ac5892999c616a51a44c8089cc63754e0cce2f7665bfad904d0894850046a063485

Download Submit
memory/1900-16-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/1900-20-0x0000000004F30000-0x0000000004F8F000-memory.dmp

Filesize
380KB

Download
memory/1900-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1900-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1900-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1900-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2808-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2808-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2808-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2808-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download