98b320f39557f494c0128c86298523a587ef1b652fa8f8321b9f07bfad53598c

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a4a019e544ca4854975533835445b1c.exe
Size

907KB
MD5

2a4a019e544ca4854975533835445b1c
SHA1

bde0b2737c1f13cc64b2c17c39f1bacff61b46b6
SHA256

98b320f39557f494c0128c86298523a587ef1b652fa8f8321b9f07bfad53598c
SHA512

2bd3955d9f5a54f689c84082c57f2dd990d29fab273bfe63e8650550741658125002e309aa125574bf7d5b9d1e50560e7c7e72a8f55b2baa5339eacf2dc67619
SSDEEP

24576:+mFp/2yVvaHrfnu0dZT2fHsI9LS2t3VvDelF1Ia/ZS1:V/HarDstDKGgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3536	2a4a019e544ca4854975533835445b1c.exe

Executes dropped EXE 1 IoCs

pid	Process
3536	2a4a019e544ca4854975533835445b1c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4316	2a4a019e544ca4854975533835445b1c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4316	2a4a019e544ca4854975533835445b1c.exe
3536	2a4a019e544ca4854975533835445b1c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3536	4316	2a4a019e544ca4854975533835445b1c.exe	91
PID 4316 wrote to memory of 3536	4316	2a4a019e544ca4854975533835445b1c.exe	91
PID 4316 wrote to memory of 3536	4316	2a4a019e544ca4854975533835445b1c.exe	91

C:\Users\Admin\AppData\Local\Temp\2a4a019e544ca4854975533835445b1c.exe
"C:\Users\Admin\AppData\Local\Temp\2a4a019e544ca4854975533835445b1c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\2a4a019e544ca4854975533835445b1c.exe
  C:\Users\Admin\AppData\Local\Temp\2a4a019e544ca4854975533835445b1c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a4a019e544ca4854975533835445b1c.exe

Filesize
907KB

MD5
fbef91fb6c35272805bbf70e4a6f0e0a

SHA1
9cb43372d8438915598cf4fd573ead6bccb2138a

SHA256
c3e130162085ddc82bc6f68439f040c0b3ce089e4e43555d86590e18298b5514

SHA512
f1da754a9255af00159464256cb5a9ee86b13778f1f3aa1e1565fbc5c841a285663b5f4bc37bd5faf4c7f72a7fffc4f6939b2b4fc0bd55ca43d527b2fd6633e8

Download Submit
memory/3536-17-0x0000000001820000-0x0000000001908000-memory.dmp

Filesize
928KB

Download
memory/3536-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3536-20-0x0000000005150000-0x000000000520B000-memory.dmp

Filesize
748KB

Download
memory/3536-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3536-36-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download
memory/3536-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4316-1-0x0000000001760000-0x0000000001848000-memory.dmp

Filesize
928KB

Download
memory/4316-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4316-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download