c17cad1ffb2e133641d46c5b1447951a9d8937927b6c7a5b49bf3e43a6217965

Analysis

max time kernel
150s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3874989793d0d57a243a156ae1647628.exe
Size

385KB
MD5

3874989793d0d57a243a156ae1647628
SHA1

227daeb0dd1b6bac7b1ff0ef2331ff096fd0b59c
SHA256

c17cad1ffb2e133641d46c5b1447951a9d8937927b6c7a5b49bf3e43a6217965
SHA512

3637b3c6ff6bfc630d62fcd11666ca6f3b4b36e902f8abbedbe483e101fb960f698c8e946f62e965c5023d96d73cb4997d24d5330abec33bc0a0afc87bf07136
SSDEEP

12288:k2hAQMYqa7KeSDSZ0R/fDWaZhgZr+YARbsgjB:k2uQMbp8Z0RXDBYZrXANHB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4908	3874989793d0d57a243a156ae1647628.exe

Executes dropped EXE 1 IoCs

pid	Process
4908	3874989793d0d57a243a156ae1647628.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3084	3874989793d0d57a243a156ae1647628.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3084	3874989793d0d57a243a156ae1647628.exe
4908	3874989793d0d57a243a156ae1647628.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4908	3084	3874989793d0d57a243a156ae1647628.exe	57
PID 3084 wrote to memory of 4908	3084	3874989793d0d57a243a156ae1647628.exe	57
PID 3084 wrote to memory of 4908	3084	3874989793d0d57a243a156ae1647628.exe	57

C:\Users\Admin\AppData\Local\Temp\3874989793d0d57a243a156ae1647628.exe
"C:\Users\Admin\AppData\Local\Temp\3874989793d0d57a243a156ae1647628.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\3874989793d0d57a243a156ae1647628.exe
  C:\Users\Admin\AppData\Local\Temp\3874989793d0d57a243a156ae1647628.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3874989793d0d57a243a156ae1647628.exe

Filesize
16KB

MD5
8f2354d92443faa07f26ddfdb246f3a4

SHA1
c238fe59c811ac8c1e9743c293a25af0e75e9f8b

SHA256
209c562a299f019ab31f9764d48ce617344560c8a7ba2dae7a30e3b437f9f657

SHA512
d887b5642eb9ff88e2f01b2ca2870450f70a4320a92d020287700d49f56a80c1498e26590c150b2ee4fd4dc442e9ef6e062c0dd3e0e6b941a1a0840b8874d003

Download Submit
memory/3084-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3084-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3084-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3084-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4908-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4908-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4908-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4908-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4908-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4908-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download