e8df279c68dd14f9d277b50d382b320ed655cf3de505e550d91d354222f76fa8

Analysis

max time kernel
126s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452d1210d921d4ba0d909b450e324d49.exe
Size

907KB
MD5

452d1210d921d4ba0d909b450e324d49
SHA1

ff1755049a332bb36e845c6777136757fd6d6509
SHA256

e8df279c68dd14f9d277b50d382b320ed655cf3de505e550d91d354222f76fa8
SHA512

ca9cc9e617106170d02f5c47c5e2baf7953f4061d2a18647efae87d0edd23e77dfa97fb62a7be624a666de4c1a8c74307590927cf5dd6f01bef8544705d057e5
SSDEEP

24576:2TtgPNP4bHtzdxxExexv7kxw4aaRloCHonFWNa/ZS1:2TtgPB4bNpExeN7M1aa/FSQNgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1332	452d1210d921d4ba0d909b450e324d49.exe

Executes dropped EXE 1 IoCs

pid	Process
1332	452d1210d921d4ba0d909b450e324d49.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4588	452d1210d921d4ba0d909b450e324d49.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4588	452d1210d921d4ba0d909b450e324d49.exe
1332	452d1210d921d4ba0d909b450e324d49.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1332	4588	452d1210d921d4ba0d909b450e324d49.exe	92
PID 4588 wrote to memory of 1332	4588	452d1210d921d4ba0d909b450e324d49.exe	92
PID 4588 wrote to memory of 1332	4588	452d1210d921d4ba0d909b450e324d49.exe	92

C:\Users\Admin\AppData\Local\Temp\452d1210d921d4ba0d909b450e324d49.exe
"C:\Users\Admin\AppData\Local\Temp\452d1210d921d4ba0d909b450e324d49.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\452d1210d921d4ba0d909b450e324d49.exe
  C:\Users\Admin\AppData\Local\Temp\452d1210d921d4ba0d909b450e324d49.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\452d1210d921d4ba0d909b450e324d49.exe

Filesize
907KB

MD5
916028387aec033de803ceaa22e5b476

SHA1
ab53928fe5b16f867cb5946b341fb090f18113c8

SHA256
3760db004a7638b3480ef9ee50d31ed59f64a91048020283bc48d9a34f268421

SHA512
e647f42eb0fa718cfa754f2f5b11ce72b5ab3f33759ad15fb810f3800f3a4206ed894f59a57d0caa768027e60746fdeaea0c626e69743f33508426699f5d9fb7

Download Submit
memory/1332-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1332-14-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/1332-20-0x00000000050F0000-0x00000000051AB000-memory.dmp

Filesize
748KB

Download
memory/1332-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1332-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-33-0x000000000C850000-0x000000000C8E8000-memory.dmp

Filesize
608KB

Download
memory/4588-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4588-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/4588-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4588-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download