54598c5b0693db9e76cf7a2ac5c5b79ff553fb9e3d389e02d1337459d9d8f63a

Analysis

max time kernel
114s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d561cebf83d31275c393a46ba73fa23.exe
Size

385KB
MD5

2d561cebf83d31275c393a46ba73fa23
SHA1

9a4b42656341608038adead1f7ed1222ffee200b
SHA256

54598c5b0693db9e76cf7a2ac5c5b79ff553fb9e3d389e02d1337459d9d8f63a
SHA512

d3b66f69a312d1a223cbce435b301cd9cee488b4b2bbe55d52d1934090ec2ec66db85875efe49a908d926e5adc39f89a6d9e79fe4f88216caaf0b2bdc6a6bcaa
SSDEEP

6144:x9PWtNPrV/gCBXIr8a8n+uI7yVIIiwuA5N2Je2CWuPrOdz4ghWnsUbNKHBD28pJ1:x5WtJrx57vufA+JAYFhWZ5QBDzJ3LB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1480	2d561cebf83d31275c393a46ba73fa23.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	2d561cebf83d31275c393a46ba73fa23.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3320	2d561cebf83d31275c393a46ba73fa23.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3320	2d561cebf83d31275c393a46ba73fa23.exe
1480	2d561cebf83d31275c393a46ba73fa23.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1480	3320	2d561cebf83d31275c393a46ba73fa23.exe	20
PID 3320 wrote to memory of 1480	3320	2d561cebf83d31275c393a46ba73fa23.exe	20
PID 3320 wrote to memory of 1480	3320	2d561cebf83d31275c393a46ba73fa23.exe	20

C:\Users\Admin\AppData\Local\Temp\2d561cebf83d31275c393a46ba73fa23.exe
"C:\Users\Admin\AppData\Local\Temp\2d561cebf83d31275c393a46ba73fa23.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\2d561cebf83d31275c393a46ba73fa23.exe
  C:\Users\Admin\AppData\Local\Temp\2d561cebf83d31275c393a46ba73fa23.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d561cebf83d31275c393a46ba73fa23.exe

Filesize
85KB

MD5
002e400b163d1c4cfec40291f2366e29

SHA1
7eb20ebe19c721c2ac6d713e18e89688fdecc58b

SHA256
d7a9ab49241a38193aa7af6f1d51f144217a0d84b89b2ea4591ad07d9d7ce678

SHA512
0e6b2987be1ea9c34e3e67e95309dab8c53fa7627f5ee52191220047d8cda0cbbb5d34ad77b3c3375b03a0f37ada5d2087ee1e4fea1920d0b14d1a76267a7489

Download Submit
memory/1480-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1480-26-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/1480-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-16-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/1480-34-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/1480-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1480-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3320-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3320-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3320-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3320-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download