5dcb11214c634730a619693de917848b61b490fe99db2d294874548d2de1bfe2

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b11f72bb5813496e8d37e62de96b877.exe
Size

385KB
MD5

4b11f72bb5813496e8d37e62de96b877
SHA1

0c8c87483c1787d5fea13db2edc149ad39926123
SHA256

5dcb11214c634730a619693de917848b61b490fe99db2d294874548d2de1bfe2
SHA512

4df90176f1ab7b223167fdba8ca2c7bdfe7bff1ab0af8d6aa3409fb09f94993d57ba8160416f24fe0f0f0644a0252d4955fc4a246037879c46d58f94ab413e3c
SSDEEP

12288:uCo+i/UrYXcyRxmJuADUSrU8tFF59Vw9B:ReJcY0JuABUCn59SB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4576	4b11f72bb5813496e8d37e62de96b877.exe

Executes dropped EXE 1 IoCs

pid	Process
4576	4b11f72bb5813496e8d37e62de96b877.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4940	4b11f72bb5813496e8d37e62de96b877.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4940	4b11f72bb5813496e8d37e62de96b877.exe
4576	4b11f72bb5813496e8d37e62de96b877.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4576	4940	4b11f72bb5813496e8d37e62de96b877.exe	19
PID 4940 wrote to memory of 4576	4940	4b11f72bb5813496e8d37e62de96b877.exe	19
PID 4940 wrote to memory of 4576	4940	4b11f72bb5813496e8d37e62de96b877.exe	19

C:\Users\Admin\AppData\Local\Temp\4b11f72bb5813496e8d37e62de96b877.exe
"C:\Users\Admin\AppData\Local\Temp\4b11f72bb5813496e8d37e62de96b877.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\4b11f72bb5813496e8d37e62de96b877.exe
  C:\Users\Admin\AppData\Local\Temp\4b11f72bb5813496e8d37e62de96b877.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b11f72bb5813496e8d37e62de96b877.exe

Filesize
92KB

MD5
2728aad05854743e253544a90098c48b

SHA1
ad34e62cd5455dc5bef2d4f8da19bbd2f135eeda

SHA256
9ae041476b1eff357246ecdb7d4ca16437c0b84165ede47aac2609b7e5a03596

SHA512
be4e535d640d4cb4f558dd2d2637f9cd8d33b88de376e87bcc7d0dce83f9da83ac6dc1e7005cc2f49243701349baa47416aa207f789cbad8f42ebbd3f99db2ac

Download Submit
memory/4576-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4576-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/4576-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4576-36-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4576-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4576-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4940-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4940-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4940-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4940-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download