ce15970e8cd8843162440dbd4c1c2b21c11362a48fc6418ba0a8437c32ce0a55

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4913a8d0750a5f4ed5a9504fbe8ab687.exe
Size

907KB
MD5

4913a8d0750a5f4ed5a9504fbe8ab687
SHA1

befb2e07f7d98731985ddf60827ef328c5ebb6c3
SHA256

ce15970e8cd8843162440dbd4c1c2b21c11362a48fc6418ba0a8437c32ce0a55
SHA512

d19e46454ee1aecb4d6da2cc3111e30a967d26dd6f34604ca6fe7e1ea9e557c4a563b19cae2918a22d69d64006ada6bcd9753bdc6a914240cc498d16a9b40f7b
SSDEEP

12288:qx3mbZpRfxWmz4Nwvtf8r6fEDTCbe+AcqS4UHh15ZxG1djj8AV0HZi5jVDa/ZS1:sWNpRMm5vrEDB+6gh15/IJsHs/a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	4913a8d0750a5f4ed5a9504fbe8ab687.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	4913a8d0750a5f4ed5a9504fbe8ab687.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3380	4913a8d0750a5f4ed5a9504fbe8ab687.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3380	4913a8d0750a5f4ed5a9504fbe8ab687.exe
2284	4913a8d0750a5f4ed5a9504fbe8ab687.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 2284	3380	4913a8d0750a5f4ed5a9504fbe8ab687.exe	19
PID 3380 wrote to memory of 2284	3380	4913a8d0750a5f4ed5a9504fbe8ab687.exe	19
PID 3380 wrote to memory of 2284	3380	4913a8d0750a5f4ed5a9504fbe8ab687.exe	19

C:\Users\Admin\AppData\Local\Temp\4913a8d0750a5f4ed5a9504fbe8ab687.exe
"C:\Users\Admin\AppData\Local\Temp\4913a8d0750a5f4ed5a9504fbe8ab687.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\4913a8d0750a5f4ed5a9504fbe8ab687.exe
  C:\Users\Admin\AppData\Local\Temp\4913a8d0750a5f4ed5a9504fbe8ab687.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4913a8d0750a5f4ed5a9504fbe8ab687.exe

Filesize
381KB

MD5
121c7f4412869c99153acc50933c771d

SHA1
6c129ef5796e99e3ca8dfca32b7a7761cd95cddc

SHA256
bc02257bffd77bcfbd38e69a3c3ab01f9bf84367ce491b15550b6c5c53715a53

SHA512
ad59741caaff0bb860eadb5b56452e9380ca803e4076727c6c3be5d336703ef8e0d3a4028ae13c818b7f145cd6e2e69341251c25f5092a8ef34854b8a15f7a61

Download Submit
memory/2284-16-0x0000000001830000-0x0000000001918000-memory.dmp

Filesize
928KB

Download
memory/2284-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2284-20-0x00000000050C0000-0x000000000517B000-memory.dmp

Filesize
748KB

Download
memory/2284-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2284-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/2284-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3380-1-0x00000000016B0000-0x0000000001798000-memory.dmp

Filesize
928KB

Download
memory/3380-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3380-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download