70071249fa7a9030972e8ccc3bcb9a2614075669526b14dd057ef0a04d40d695

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468ad14e40f689f33568cfd2f5c187c0.exe
Size

385KB
MD5

468ad14e40f689f33568cfd2f5c187c0
SHA1

2037da359ebe0da7a96ae8a6da72726610f3bb49
SHA256

70071249fa7a9030972e8ccc3bcb9a2614075669526b14dd057ef0a04d40d695
SHA512

34994765aac462c791121e29151e0fd07cb40232ea7a7fd1e496d9751ef5ee22682c407de247b164433c24d9f75d66a9119493d1884a5580056309da23a15199
SSDEEP

12288:zXtwOqgga2eKxE932nr8Xbo6uC8HX6kXpO0RgwB:aOqrHy8gLiCeX6urfB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
940	468ad14e40f689f33568cfd2f5c187c0.exe

Executes dropped EXE 1 IoCs

pid	Process
940	468ad14e40f689f33568cfd2f5c187c0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1468	468ad14e40f689f33568cfd2f5c187c0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1468	468ad14e40f689f33568cfd2f5c187c0.exe
940	468ad14e40f689f33568cfd2f5c187c0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 940	1468	468ad14e40f689f33568cfd2f5c187c0.exe	92
PID 1468 wrote to memory of 940	1468	468ad14e40f689f33568cfd2f5c187c0.exe	92
PID 1468 wrote to memory of 940	1468	468ad14e40f689f33568cfd2f5c187c0.exe	92

C:\Users\Admin\AppData\Local\Temp\468ad14e40f689f33568cfd2f5c187c0.exe
"C:\Users\Admin\AppData\Local\Temp\468ad14e40f689f33568cfd2f5c187c0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\468ad14e40f689f33568cfd2f5c187c0.exe
  C:\Users\Admin\AppData\Local\Temp\468ad14e40f689f33568cfd2f5c187c0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\468ad14e40f689f33568cfd2f5c187c0.exe

Filesize
382KB

MD5
ff7ec4536cc9325b5b22d4ece84dc784

SHA1
91d9d8b56a218c286f44146aa09f46b8caba637b

SHA256
e44132f21bc09698b186e142387c2dbc587965a0dda829789022c0c00da19936

SHA512
931120c42bd60fbd6bddf0fa3212d1beac0caf74ac324c6fee3a824774ad0dc103da4e58ee05efaa61195ca245eff011778dd6e263e8ffac0032a10346a2721f

Download Submit
memory/940-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/940-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/940-16-0x0000000001610000-0x0000000001676000-memory.dmp

Filesize
408KB

Download
memory/940-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/940-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/940-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1468-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1468-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1468-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1468-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download