Analysis Overview
SHA256
73ac6274a893dea6fcd3d0eb1a465ebe9138d99c3ad931484cd393cf579fb723
Threat Level: Shows suspicious behavior
The file 4a6837a8b5cc5c018e8d04f173e4bb91 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-08 04:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 04:12
Reported
2024-01-08 04:15
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
| PID 2732 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
| PID 2732 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
| PID 2732 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
"C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe"
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
Network
Files
memory/2732-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2732-1-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2732-2-0x0000000000400000-0x000000000041B000-memory.dmp
\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
| MD5 | eb653de9002b9be138f06fc833564b2c |
| SHA1 | 1316ec7f4d971ad0db48286659e5cc15d4a94124 |
| SHA256 | 7a4d7fb1cf5feb7c6c3c66cfcb228a64f213a3544669b145e97243c4cebcba91 |
| SHA512 | 5842591eafc31466d902f00fa8f04ee25e0bbeb6720ae6dd9c430f719375a881a047347d72340917cf68e5ab821ab9de0b8c4d4f2beb971cbf19952bc5b6c148 |
memory/2352-17-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2732-14-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2352-19-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2352-23-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2352-28-0x00000000001B0000-0x00000000001CB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 04:12
Reported
2024-01-08 04:15
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
| PID 2436 wrote to memory of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
| PID 2436 wrote to memory of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe | C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe
"C:\Users\Admin\AppData\Local\Temp\4a6837a8b5cc5c018e8d04f173e4bb91.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 51.124.78.146:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.82.154.241:443 | tcp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.242.39.171:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 92.123.241.104:80 | tcp | |
| US | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 67.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp |
Files
memory/2436-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2436-2-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1140-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1140-25-0x00000000014E0000-0x00000000014FB000-memory.dmp
memory/1140-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1140-14-0x00000000001B0000-0x00000000001DF000-memory.dmp
memory/2436-11-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2436-1-0x00000000000F0000-0x000000000011F000-memory.dmp