a053fa181d9859098cad72ef2fdbadf852e05f068f6d4f0762d5f8893885604f

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4bcbc22525e70cd5241dcbd85a854346.exe
Size

771KB
MD5

4bcbc22525e70cd5241dcbd85a854346
SHA1

26e2c5f887f7fe6a55577da68471a00ffed75195
SHA256

a053fa181d9859098cad72ef2fdbadf852e05f068f6d4f0762d5f8893885604f
SHA512

c451d979fd80a3e90f6fd1254e4b9f598db97a501bffbbd552c8d28bc714c5b7c525ca787784908c3a24c5b14d99d76b8afc43d338daef6fd49fcf857cba79a9
SSDEEP

12288:A2LdPAMalpSRC8maPAJWmdP3vPq4Ub10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8V:A2LdMGiP3vy4Ub10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1740	4bcbc22525e70cd5241dcbd85a854346.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	4bcbc22525e70cd5241dcbd85a854346.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
632	4bcbc22525e70cd5241dcbd85a854346.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
632	4bcbc22525e70cd5241dcbd85a854346.exe
1740	4bcbc22525e70cd5241dcbd85a854346.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1740	632	4bcbc22525e70cd5241dcbd85a854346.exe	91
PID 632 wrote to memory of 1740	632	4bcbc22525e70cd5241dcbd85a854346.exe	91
PID 632 wrote to memory of 1740	632	4bcbc22525e70cd5241dcbd85a854346.exe	91

C:\Users\Admin\AppData\Local\Temp\4bcbc22525e70cd5241dcbd85a854346.exe
"C:\Users\Admin\AppData\Local\Temp\4bcbc22525e70cd5241dcbd85a854346.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\4bcbc22525e70cd5241dcbd85a854346.exe
  C:\Users\Admin\AppData\Local\Temp\4bcbc22525e70cd5241dcbd85a854346.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4bcbc22525e70cd5241dcbd85a854346.exe

Filesize
771KB

MD5
b1ddcc15b52a17130d6002a75ac4dc4d

SHA1
74ad764fd3f47c363183cdf06598e0dc549ff173

SHA256
948b2454516a5761e866f4dfa9f7d2186f9822d69f595d09b9107c39e2d643a1

SHA512
5263ee30b16d8c3e551aa9fe1a6854a4ed78ff140af8ea0b16ff4263f7c2847b4c0829d6dcacdf82f28ffb516ef8696bb594376152c473a975abec3f37f45375

Download Submit
memory/632-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/632-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/632-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/632-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1740-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1740-20-0x0000000001620000-0x000000000167F000-memory.dmp

Filesize
380KB

Download
memory/1740-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1740-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1740-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1740-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download