837a2fd2b50cbc54674f6e6f7cda3b55f2a4f98543d21e8dc8838a0427459ee7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a796a6de8f51feb63ce21c659030e8b.exe
Size

907KB
MD5

4a796a6de8f51feb63ce21c659030e8b
SHA1

18ec95dddfb29f25c280607fdc1f7f4a39e22f54
SHA256

837a2fd2b50cbc54674f6e6f7cda3b55f2a4f98543d21e8dc8838a0427459ee7
SHA512

4e3cecaea243e55d9b9a5f183e9ea21b0e181fbc97d9adc39b3ecbb76f922a303dd73ab01f08049a82f85c0eb5ad0423866cb50d7400e7d4b84178555d662895
SSDEEP

24576:0fh7wiCOaj/qUkoxyASvezeZUJ3SJkieSFpZAX+u46a/ZS1:eRkqmfSveyceFpZAX+uPgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4464	4a796a6de8f51feb63ce21c659030e8b.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	4a796a6de8f51feb63ce21c659030e8b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3856	4a796a6de8f51feb63ce21c659030e8b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3856	4a796a6de8f51feb63ce21c659030e8b.exe
4464	4a796a6de8f51feb63ce21c659030e8b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4464	3856	4a796a6de8f51feb63ce21c659030e8b.exe	90
PID 3856 wrote to memory of 4464	3856	4a796a6de8f51feb63ce21c659030e8b.exe	90
PID 3856 wrote to memory of 4464	3856	4a796a6de8f51feb63ce21c659030e8b.exe	90

C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe
"C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe
  C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe

Filesize
829KB

MD5
7ddd89db08e02e9ef87975fd779d8674

SHA1
eadb3ddc00d4ac32231fb57475c0ccd931453f3e

SHA256
c3da690953a7b31eda9f912b5b010491c8556fb1fdd28202723ca18b27fb57b7

SHA512
c1f0da4453e7de60f50d07a5f1a4671365f221064b388bed4d6416ef8a48fa1edb346309098aac3a2c688740ed55129fee5a944334f9e57823273a2e97ad2fba

Download Submit
memory/3856-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3856-1-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/3856-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3856-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4464-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4464-15-0x00000000016D0000-0x00000000017B8000-memory.dmp

Filesize
928KB

Download
memory/4464-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4464-20-0x0000000005170000-0x000000000522B000-memory.dmp

Filesize
748KB

Download
memory/4464-31-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/4464-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download