1d80cc826b36f2a7c03e8c466004a6fb763e781bf71141529ce013760db0c13b

Analysis

max time kernel
138s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e039da994eb8fbcdb4cf0ed2829f3e.exe
Size

216KB
MD5

44e039da994eb8fbcdb4cf0ed2829f3e
SHA1

7102df53933bf8425b82166779f639ec26a844f8
SHA256

1d80cc826b36f2a7c03e8c466004a6fb763e781bf71141529ce013760db0c13b
SHA512

4df38fcde74e5e99010d64d56bd06f16c581d40bc3660a77aea260dc639039c38df62b87a6bcb8bff7bb99026e5de05a9f60ff03c03fdec427ce124a53f62b7c
SSDEEP

6144:VaAf8Wn3gO/hXXsrwAOLO0dWbNmo0qyBEDw:VXDn/F4gLOcpqG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4624	RemoteAbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 1764	4624	RemoteAbc.exe	95

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemoteAbc.exe	44e039da994eb8fbcdb4cf0ed2829f3e.exe
File opened for modification	C:\Windows\RemoteAbc.exe	44e039da994eb8fbcdb4cf0ed2829f3e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1528	1264	44e039da994eb8fbcdb4cf0ed2829f3e.exe	94
PID 1264 wrote to memory of 1528	1264	44e039da994eb8fbcdb4cf0ed2829f3e.exe	94
PID 1264 wrote to memory of 1528	1264	44e039da994eb8fbcdb4cf0ed2829f3e.exe	94
PID 4624 wrote to memory of 1764	4624	RemoteAbc.exe	95
PID 4624 wrote to memory of 1764	4624	RemoteAbc.exe	95
PID 4624 wrote to memory of 1764	4624	RemoteAbc.exe	95
PID 4624 wrote to memory of 1764	4624	RemoteAbc.exe	95
PID 4624 wrote to memory of 1764	4624	RemoteAbc.exe	95

C:\Users\Admin\AppData\Local\Temp\44e039da994eb8fbcdb4cf0ed2829f3e.exe
"C:\Users\Admin\AppData\Local\Temp\44e039da994eb8fbcdb4cf0ed2829f3e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\3466.bat
  2⤵
  PID:1528

C:\Windows\RemoteAbc.exe
C:\Windows\RemoteAbc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 63582
  2⤵
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1764 -ip 1764
1⤵
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3466.bat

Filesize
198B

MD5
4f2348b79d4b35bc06f6cba93d9d8f4a

SHA1
e6d038336a70c131f2e4049dc5044f110cbaf710

SHA256
1dc0162e3ac0d20b985b156241dec7c9c9d4c327dde087f454d7043b4ee14a71

SHA512
cf7c3ac64b683b75c02bde8f28aab7b5011700d8d5427474c607e8d29b3d7390b75850caa9e4f7d0d5f83d251b76705ede644f0c7d6f2f0135fcfc9732a63ebb

Download Submit
C:\Windows\RemoteAbc.exe

Filesize
216KB

MD5
44e039da994eb8fbcdb4cf0ed2829f3e

SHA1
7102df53933bf8425b82166779f639ec26a844f8

SHA256
1d80cc826b36f2a7c03e8c466004a6fb763e781bf71141529ce013760db0c13b

SHA512
4df38fcde74e5e99010d64d56bd06f16c581d40bc3660a77aea260dc639039c38df62b87a6bcb8bff7bb99026e5de05a9f60ff03c03fdec427ce124a53f62b7c

Download Submit
memory/1264-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1264-1-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1264-2-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1264-3-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1264-12-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1264-18-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1764-16-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4624-11-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4624-13-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4624-19-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads