35b1108749bee00cf4bc02d85c89639d19227389182edcff7d9dc4bf7e4f1c34

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 11:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48c9a66da61057450239ea47f9e8341b.exe
Size

771KB
MD5

48c9a66da61057450239ea47f9e8341b
SHA1

2540b8e02610d01f9bb00dc67dff2c8e0c4fe43e
SHA256

35b1108749bee00cf4bc02d85c89639d19227389182edcff7d9dc4bf7e4f1c34
SHA512

235217b1cf1d49091cb5e2cd1776eefabc8945c4700dc92941bcdcac47dd3d4441bc4af8f3acb40db2c7ff7e82179beb60e934c4be083b1cff291d36f8ec057a
SSDEEP

24576:vAguFEGKIVzpkWw0MHAMDf8b10hJaothZ2/T6FBBB:YgtGBVzpkW76u/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4856	48c9a66da61057450239ea47f9e8341b.exe

Executes dropped EXE 1 IoCs

pid	Process
4856	48c9a66da61057450239ea47f9e8341b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3952	48c9a66da61057450239ea47f9e8341b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3952	48c9a66da61057450239ea47f9e8341b.exe
4856	48c9a66da61057450239ea47f9e8341b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4856	3952	48c9a66da61057450239ea47f9e8341b.exe	91
PID 3952 wrote to memory of 4856	3952	48c9a66da61057450239ea47f9e8341b.exe	91
PID 3952 wrote to memory of 4856	3952	48c9a66da61057450239ea47f9e8341b.exe	91

C:\Users\Admin\AppData\Local\Temp\48c9a66da61057450239ea47f9e8341b.exe
"C:\Users\Admin\AppData\Local\Temp\48c9a66da61057450239ea47f9e8341b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\48c9a66da61057450239ea47f9e8341b.exe
  C:\Users\Admin\AppData\Local\Temp\48c9a66da61057450239ea47f9e8341b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48c9a66da61057450239ea47f9e8341b.exe

Filesize
381KB

MD5
99647f8243eb4da228aaefa3db16e5d5

SHA1
5faf38b373d06351ae874d4caff582aa02f8d615

SHA256
5321b71075076f106388563245ab5899fdf9a4ce698b30fb5ab77649ab5354fd

SHA512
3cf41f1e7b888d42d3f92ff49300e58a2f458716d80566ab57b2ca90de606d1ed7dc2f22e42d1a7108182d52f7d1078ad6830b3444808866409edeba71df11ee

Download Submit
memory/3952-1-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3952-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3952-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4856-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4856-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4856-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4856-17-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4856-32-0x000000000B610000-0x000000000B64C000-memory.dmp

Filesize
240KB

Download
memory/4856-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4856-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download