7c57c242d8fb1376bcc97b83493965c2677664e0b0eaee5d048acbf329d84d3e

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

417d8f50a774226b55b9fa64ff9be4d9.exe
Size

385KB
MD5

417d8f50a774226b55b9fa64ff9be4d9
SHA1

4dd19f5bbbb4418a7c4b68f301941924ab317a4c
SHA256

7c57c242d8fb1376bcc97b83493965c2677664e0b0eaee5d048acbf329d84d3e
SHA512

60aa4fef9de75e66e14bf03cc3a165fd36e8088c519aa63ebf07b99f373ae76dd0e74b83b97249e43bc951aa0d00653836bec84632e69c5b272e5245ab12687b
SSDEEP

6144:r5ceGlFl6P3HUqLVwna+d+L0TUq6rY0H9iy/2Q8ejB:r6eGl6P30E8a+00TR6rYa9iyh8ejB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2184	417d8f50a774226b55b9fa64ff9be4d9.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	417d8f50a774226b55b9fa64ff9be4d9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2452	417d8f50a774226b55b9fa64ff9be4d9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2452	417d8f50a774226b55b9fa64ff9be4d9.exe
2184	417d8f50a774226b55b9fa64ff9be4d9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2184	2452	417d8f50a774226b55b9fa64ff9be4d9.exe	39
PID 2452 wrote to memory of 2184	2452	417d8f50a774226b55b9fa64ff9be4d9.exe	39
PID 2452 wrote to memory of 2184	2452	417d8f50a774226b55b9fa64ff9be4d9.exe	39

C:\Users\Admin\AppData\Local\Temp\417d8f50a774226b55b9fa64ff9be4d9.exe
"C:\Users\Admin\AppData\Local\Temp\417d8f50a774226b55b9fa64ff9be4d9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\417d8f50a774226b55b9fa64ff9be4d9.exe
  C:\Users\Admin\AppData\Local\Temp\417d8f50a774226b55b9fa64ff9be4d9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\417d8f50a774226b55b9fa64ff9be4d9.exe

Filesize
82KB

MD5
e5d59a29a8dd156d59678c5106297e6d

SHA1
d896054480fd307527cdded91c3f6db70cf6059b

SHA256
e6a554afce5499bf3b9c74c387c4763f7b1a2c05c511db144421b2bcde1f51bd

SHA512
52b09c342eecc8a91ebf9e65ea45b6271f1f6d689ff1afc4259d9c5df64cccf17390d5b9b388c6bf3a948fd831517cbc6d7bd430b0c0a1658b8ec1b9bade4c88

Download Submit
memory/2184-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-15-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2184-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2184-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/2184-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/2184-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2184-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/2452-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2452-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2452-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2452-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download