7fa14faa0a3bbf0f0daad20a5525e04e6c7f1bc5d2168d26395566dc4d315754

Analysis

max time kernel
137s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2790d5583c362df230daa8ece9cc77d3.exe
Size

385KB
MD5

2790d5583c362df230daa8ece9cc77d3
SHA1

2e8e3a4c8b8dc9acc5058499a66e2cd003bc70ad
SHA256

7fa14faa0a3bbf0f0daad20a5525e04e6c7f1bc5d2168d26395566dc4d315754
SHA512

32177a426204c9fdecd7e68fbe12ba32975028b5b9c79b7289020d989957250e4be58bf3deb6c2c1d7067080cb7b4e5cae669c631bdea3494a63d4a433f2bd4f
SSDEEP

6144:c9ZjPSb0PQouvvePx5wO3R56WYtzlY8mzh09MrUMA4RDgAMSKCB:Gpk0PQPvvePvR56WOZYzzupoRDgaKCB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
440	2790d5583c362df230daa8ece9cc77d3.exe

Executes dropped EXE 1 IoCs

pid	Process
440	2790d5583c362df230daa8ece9cc77d3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2084	2790d5583c362df230daa8ece9cc77d3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2084	2790d5583c362df230daa8ece9cc77d3.exe
440	2790d5583c362df230daa8ece9cc77d3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 440	2084	2790d5583c362df230daa8ece9cc77d3.exe	93
PID 2084 wrote to memory of 440	2084	2790d5583c362df230daa8ece9cc77d3.exe	93
PID 2084 wrote to memory of 440	2084	2790d5583c362df230daa8ece9cc77d3.exe	93

C:\Users\Admin\AppData\Local\Temp\2790d5583c362df230daa8ece9cc77d3.exe
"C:\Users\Admin\AppData\Local\Temp\2790d5583c362df230daa8ece9cc77d3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\2790d5583c362df230daa8ece9cc77d3.exe
  C:\Users\Admin\AppData\Local\Temp\2790d5583c362df230daa8ece9cc77d3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2790d5583c362df230daa8ece9cc77d3.exe

Filesize
385KB

MD5
a08f1fd735a7ce71980255be4bd733f1

SHA1
17696d8916e3eb6ecb91f2218f55a20a97441b38

SHA256
129cdd2e640a748d03db9fa3ec931a2be1ca3dffc4bbc2c72512eaae73e57bb0

SHA512
fb07b4eb103d72b84b491dc48ab2d4335f32ac16599efcf2fc9d7563ae3c490223e5ec63204b9a733407d8eb2fbd26a382aa453bb7a23653f898ef81d6aaae54

Download Submit
memory/440-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/440-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/440-20-0x0000000004EF0000-0x0000000004F4F000-memory.dmp

Filesize
380KB

Download
memory/440-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/440-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/440-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2084-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2084-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2084-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2084-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download