abc0ff1364cd696b2aeb37cca416da7910978b6397d256d5056187333502ca62

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477edad37836e9afad205425a9cf7fcc.exe
Size

385KB
MD5

477edad37836e9afad205425a9cf7fcc
SHA1

7528650f802b758ab694aacd022a3a2ef5633d37
SHA256

abc0ff1364cd696b2aeb37cca416da7910978b6397d256d5056187333502ca62
SHA512

1e91ea3dd01cdc6b7568548780ec6093154796a24cdf86f163b125a223c5f5702c79cb56ce7f7a50df52b41a864b8e1a0a867c4aa8d3b86a085afcfd7f20dcd7
SSDEEP

6144:jXmmeux/tRSBGgXdK/0qckaG3X8ewJBXzlrhN1TW4cbdaWohPnm+TlbZyGmhB:jXmme+VSt7UX8eyRhNpWpb+1QGmhB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3960	477edad37836e9afad205425a9cf7fcc.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	477edad37836e9afad205425a9cf7fcc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4140	477edad37836e9afad205425a9cf7fcc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4140	477edad37836e9afad205425a9cf7fcc.exe
3960	477edad37836e9afad205425a9cf7fcc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3960	4140	477edad37836e9afad205425a9cf7fcc.exe	92
PID 4140 wrote to memory of 3960	4140	477edad37836e9afad205425a9cf7fcc.exe	92
PID 4140 wrote to memory of 3960	4140	477edad37836e9afad205425a9cf7fcc.exe	92

C:\Users\Admin\AppData\Local\Temp\477edad37836e9afad205425a9cf7fcc.exe
"C:\Users\Admin\AppData\Local\Temp\477edad37836e9afad205425a9cf7fcc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\477edad37836e9afad205425a9cf7fcc.exe
  C:\Users\Admin\AppData\Local\Temp\477edad37836e9afad205425a9cf7fcc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\477edad37836e9afad205425a9cf7fcc.exe

Filesize
385KB

MD5
cd8979e71dd03af06883cc74610076c8

SHA1
832e9a8a40a8ae1c3467a1d5ee239a3d10a2506e

SHA256
b894febce66d2c9e3e0bf43402f7c4790b590f044a220f04e4a1aefb9ae2a2d8

SHA512
9c8fbd0fd809555514d69fadd1a9d2c8e8c2de9f226b27bc2bd97cb3a25fc970498e258dd991d403b70b68bb5a3fa7441432eb35f39ea451a223ee4413667a19

Download Submit
memory/3960-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3960-14-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/3960-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/3960-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3960-35-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3960-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4140-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4140-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4140-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4140-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download