2dcfdb0f8ddaa40c444b3c9d4b00fc98fd4426ac5d2831afd96579dd4e435aa7

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 22:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4caaa5fab41462bc6eb1f386b6f95c81.exe
Size

385KB
MD5

4caaa5fab41462bc6eb1f386b6f95c81
SHA1

421d3f01b9107a7b7de5f5357038ae7e6de0f421
SHA256

2dcfdb0f8ddaa40c444b3c9d4b00fc98fd4426ac5d2831afd96579dd4e435aa7
SHA512

dc310b9e286cfcde8392786751659353ef354762d15230dae31a7364202ef2c5dd6876347215cb0d3fe367f468b85540ee6291775b3ae6591eef170314725fba
SSDEEP

6144:3ID0M28Uc9/iUomLOWevxh5yU/5f3VeOtQsBFRyp8FILFPuai19WSJc1hSB:3ID0MB9/ad7yU/h3gUup88P7qWSeqB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4824	4caaa5fab41462bc6eb1f386b6f95c81.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	4caaa5fab41462bc6eb1f386b6f95c81.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1820	4caaa5fab41462bc6eb1f386b6f95c81.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1820	4caaa5fab41462bc6eb1f386b6f95c81.exe
4824	4caaa5fab41462bc6eb1f386b6f95c81.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 4824	1820	4caaa5fab41462bc6eb1f386b6f95c81.exe	89
PID 1820 wrote to memory of 4824	1820	4caaa5fab41462bc6eb1f386b6f95c81.exe	89
PID 1820 wrote to memory of 4824	1820	4caaa5fab41462bc6eb1f386b6f95c81.exe	89

C:\Users\Admin\AppData\Local\Temp\4caaa5fab41462bc6eb1f386b6f95c81.exe
"C:\Users\Admin\AppData\Local\Temp\4caaa5fab41462bc6eb1f386b6f95c81.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\4caaa5fab41462bc6eb1f386b6f95c81.exe
  C:\Users\Admin\AppData\Local\Temp\4caaa5fab41462bc6eb1f386b6f95c81.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4caaa5fab41462bc6eb1f386b6f95c81.exe

Filesize
385KB

MD5
82670608c76f0c61a47735d218d2a663

SHA1
8b3ed4975e7563f8305f8974bb504cf75984d3c1

SHA256
59a02cce2b67a3c6184da53c9d3d3d58d98bc41309927f8ac34c030e89bb3eea

SHA512
a682c00cfc5b09cfa25ab6ce3454d3b13361081d6a2f045a3e2540b74839c79cbc13d12eeaabb3b75258caac2777fcc1c610fda398489338022e822433ab8f01

Download Submit
memory/1820-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1820-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1820-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1820-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4824-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4824-15-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/4824-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4824-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4824-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4824-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download