381ed44b89a16e5af77c4b8fe1f5795f3ed154d3b0e708ef56a4a8b077734e06

Analysis

max time kernel
144s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2e08c36c92b2447f5d655c2872322a.exe
Size

771KB
MD5

4b2e08c36c92b2447f5d655c2872322a
SHA1

41f0ce222f20a747ca4220c28eae9ff67d1fb383
SHA256

381ed44b89a16e5af77c4b8fe1f5795f3ed154d3b0e708ef56a4a8b077734e06
SHA512

b3343ddfcaf74d7533a9d04de684f1771c9007674d5cc55e32354c084867e2e97db95e60cb03ab2b92580629a60cf7ed1350a58dded0125113af813bce6da5ff
SSDEEP

12288:Mi7wlcJSfXUpzInSV90cODLJY/x4ajPCmQlb10VHmDXTuFaa2AtyGTKOF25ZoJJf:58XcMyGPg4ajq5b10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	4b2e08c36c92b2447f5d655c2872322a.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	4b2e08c36c92b2447f5d655c2872322a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3240	4b2e08c36c92b2447f5d655c2872322a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3240	4b2e08c36c92b2447f5d655c2872322a.exe
2732	4b2e08c36c92b2447f5d655c2872322a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2732	3240	4b2e08c36c92b2447f5d655c2872322a.exe	93
PID 3240 wrote to memory of 2732	3240	4b2e08c36c92b2447f5d655c2872322a.exe	93
PID 3240 wrote to memory of 2732	3240	4b2e08c36c92b2447f5d655c2872322a.exe	93

C:\Users\Admin\AppData\Local\Temp\4b2e08c36c92b2447f5d655c2872322a.exe
"C:\Users\Admin\AppData\Local\Temp\4b2e08c36c92b2447f5d655c2872322a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\4b2e08c36c92b2447f5d655c2872322a.exe
  C:\Users\Admin\AppData\Local\Temp\4b2e08c36c92b2447f5d655c2872322a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b2e08c36c92b2447f5d655c2872322a.exe

Filesize
771KB

MD5
4408922b2e8a5a7700b5b167cbe68afb

SHA1
b268e65d8500953cc1de6bcc1076df04502dfff5

SHA256
6187dea952f1c0f1d96938681656e41303e6ee31379aca254d42ca59bdfba538

SHA512
792e54a8ce92ebcd0cc4ca8bd39001e7631d8c35d8982ad926d988ba4e691020e4b9d520d7c5735b35915e0908d6427089dfdc682dedd91d99821bcf826b8b98

Download Submit
memory/2732-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2732-15-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/2732-20-0x0000000004F50000-0x0000000004FAF000-memory.dmp

Filesize
380KB

Download
memory/2732-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2732-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2732-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2732-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3240-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3240-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3240-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3240-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download