dd6b0b11044ddbf022fcc5f36ab2574e43ceebad3c255d23e85a3ea831c54f89

Analysis

max time kernel
123s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b92ebaedad8cf777c9bcf973b6c2dca.exe
Size

385KB
MD5

4b92ebaedad8cf777c9bcf973b6c2dca
SHA1

935770b763263e94c2b13d900e64c88f41086566
SHA256

dd6b0b11044ddbf022fcc5f36ab2574e43ceebad3c255d23e85a3ea831c54f89
SHA512

b008d0f11f1944debeb58b428ada92a2f409f8d8391571947aad9218b172d8be68214e22a58112aeb2e1df75cc6bab472858822bc42530d36de3403cd773a1b2
SSDEEP

6144:44Kpr3WVVSFGY3wigyqZcnyULHht5TXJVmGoDmyGejvYTJkppKbhctM4SuIphsMI:44KxGQGCySn9tboTrNpwcnSuQC2cB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1212	4b92ebaedad8cf777c9bcf973b6c2dca.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	4b92ebaedad8cf777c9bcf973b6c2dca.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
640	4b92ebaedad8cf777c9bcf973b6c2dca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
640	4b92ebaedad8cf777c9bcf973b6c2dca.exe
1212	4b92ebaedad8cf777c9bcf973b6c2dca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1212	640	4b92ebaedad8cf777c9bcf973b6c2dca.exe	91
PID 640 wrote to memory of 1212	640	4b92ebaedad8cf777c9bcf973b6c2dca.exe	91
PID 640 wrote to memory of 1212	640	4b92ebaedad8cf777c9bcf973b6c2dca.exe	91

C:\Users\Admin\AppData\Local\Temp\4b92ebaedad8cf777c9bcf973b6c2dca.exe
"C:\Users\Admin\AppData\Local\Temp\4b92ebaedad8cf777c9bcf973b6c2dca.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\4b92ebaedad8cf777c9bcf973b6c2dca.exe
  C:\Users\Admin\AppData\Local\Temp\4b92ebaedad8cf777c9bcf973b6c2dca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b92ebaedad8cf777c9bcf973b6c2dca.exe

Filesize
57KB

MD5
c637b83e122a3609ee0941d14ae03428

SHA1
62f1f84366d7e4a7dfa2f826b84b22050d6c0834

SHA256
a89eea04cabf763896c4f025bdb4b1e8b492ae68fb4b4cde2aab9905a5de3275

SHA512
382bcecde3174861612251184253ff9a9171c7260c415327a4d8af44be69dde24b96d898926c399e42b88784c260c96e410876ef3d245b9098501d611592bbbf

Download Submit
memory/640-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/640-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/640-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/640-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1212-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1212-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1212-21-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1212-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1212-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1212-37-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download