c1abfa4cf3023b8fbb84f191ce6cee2df9e30af2288275e77c1cd493bcc1004f

Analysis

max time kernel
136s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245e8f8d5b42c9b400df36c52b9cac8a.exe
Size

385KB
MD5

245e8f8d5b42c9b400df36c52b9cac8a
SHA1

e28bb26b2c3addcfc98965a4e3858c1b84dd8c43
SHA256

c1abfa4cf3023b8fbb84f191ce6cee2df9e30af2288275e77c1cd493bcc1004f
SHA512

bcde57733aad2952ac9731e70dea1bbe2a5b7390fb78e9c2b1f54febf80dc50e1f18e3c932b20595853a96ef95dc682544732530f7156607dc35717f973d9088
SSDEEP

12288:tiz9q/CZegntHG+2ck4iL+1RWHaY3GT7bFjiB:tHAeytmsk4a+mHaY3GPbFjiB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3420	245e8f8d5b42c9b400df36c52b9cac8a.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	245e8f8d5b42c9b400df36c52b9cac8a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5060	245e8f8d5b42c9b400df36c52b9cac8a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5060	245e8f8d5b42c9b400df36c52b9cac8a.exe
3420	245e8f8d5b42c9b400df36c52b9cac8a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3420	5060	245e8f8d5b42c9b400df36c52b9cac8a.exe	17
PID 5060 wrote to memory of 3420	5060	245e8f8d5b42c9b400df36c52b9cac8a.exe	17
PID 5060 wrote to memory of 3420	5060	245e8f8d5b42c9b400df36c52b9cac8a.exe	17

C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
"C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
  C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\245e8f8d5b42c9b400df36c52b9cac8a.exe

Filesize
49KB

MD5
ff46f1321df19a939a2a13be4369c20f

SHA1
68a01ca4f262b53e050d21a817181427fb6d5033

SHA256
eca863563b674f9edbf5c5dd2cd36ef649980681687e99579394a10bb64f6820

SHA512
6e19f92d4a7b778a89a3d6bd0a8fcc20725cfaee341120743a777729bac98da81a3b6689718f04441c15206afef165f702803cbfab79f58aac30ca3df2d06c14

Download Submit
memory/3420-15-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3420-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-24-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3420-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3420-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3420-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3420-34-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/5060-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5060-1-0x0000000001540000-0x00000000015A6000-memory.dmp

Filesize
408KB

Download
memory/5060-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5060-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download