a8f6b825fe3c873918f569c47a4cc6734460f2a91a180f3f73961f4d902f1976

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4137da665242a5af2b3b5a5d2037b02a.exe
Size

907KB
MD5

4137da665242a5af2b3b5a5d2037b02a
SHA1

0266de35305809ec222cc4485dedba61f69e7670
SHA256

a8f6b825fe3c873918f569c47a4cc6734460f2a91a180f3f73961f4d902f1976
SHA512

82bf3f46c2cde568c3cf6d832d30c77ff26b8a4510336b3d6f853e551c338465d9a81f7afadf53cd5c8ea7d2d568788fa4fafa374cdf193ac58d68a3b9ed2842
SSDEEP

24576:1oTFNhyScBdADDJegOgTJHet3jvOavQa/ZS1:YhRE6Tk26QgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1396	4137da665242a5af2b3b5a5d2037b02a.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	4137da665242a5af2b3b5a5d2037b02a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3656	4137da665242a5af2b3b5a5d2037b02a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3656	4137da665242a5af2b3b5a5d2037b02a.exe
1396	4137da665242a5af2b3b5a5d2037b02a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 1396	3656	4137da665242a5af2b3b5a5d2037b02a.exe	66
PID 3656 wrote to memory of 1396	3656	4137da665242a5af2b3b5a5d2037b02a.exe	66
PID 3656 wrote to memory of 1396	3656	4137da665242a5af2b3b5a5d2037b02a.exe	66

C:\Users\Admin\AppData\Local\Temp\4137da665242a5af2b3b5a5d2037b02a.exe
"C:\Users\Admin\AppData\Local\Temp\4137da665242a5af2b3b5a5d2037b02a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\4137da665242a5af2b3b5a5d2037b02a.exe
  C:\Users\Admin\AppData\Local\Temp\4137da665242a5af2b3b5a5d2037b02a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4137da665242a5af2b3b5a5d2037b02a.exe

Filesize
79KB

MD5
c4f070c08c24ac51f0ba63cefd759355

SHA1
7cb9f3495ed232f98084201d39fec25a251c7cf1

SHA256
484513bbf98768ebffea9491560f7ce1bacf019ab98582c22fdddab29da6613b

SHA512
37b6b99ea514b5ccf3d3a88af0ad607519a677aa930e69da4a06dc72f45058753e43c26bfbbc2eb232c382bebeb09a6ada41ea8a99e6f64e8542861ae80d6bc3

Download Submit
memory/1396-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1396-16-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/1396-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1396-20-0x0000000005130000-0x00000000051EB000-memory.dmp

Filesize
748KB

Download
memory/1396-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/1396-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3656-1-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/3656-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3656-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download