bf2926ade8f6f6ff6f0cbce945c251cf6644732f49b00b07a37576158d236b60

Analysis

max time kernel
1s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c5b899b1846ce714b77fc6de2d64cdb.exe
Size

385KB
MD5

4c5b899b1846ce714b77fc6de2d64cdb
SHA1

09728d0a4a8ff77af0334668a111f8107174d0c3
SHA256

bf2926ade8f6f6ff6f0cbce945c251cf6644732f49b00b07a37576158d236b60
SHA512

1c8f7f7cdfb30951fa642a8a01c407599095f53536c66f572e0c78a3bb72d47029db44cc86e3fc5dcae0722b478748196e5de5cf0fb8257a7c7b59b2e0d73eba
SSDEEP

6144:+2sPVQyr/+QNNPzciFKfuCB2qDk7gCbp9EFsJqT4js1iI9uslgU1EvTsLdeKqiB:+dr/+UNP9pr7gmp9VYMjs1iIQA+CB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	4c5b899b1846ce714b77fc6de2d64cdb.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	4c5b899b1846ce714b77fc6de2d64cdb.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	4c5b899b1846ce714b77fc6de2d64cdb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2104	4c5b899b1846ce714b77fc6de2d64cdb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2104	4c5b899b1846ce714b77fc6de2d64cdb.exe
2664	4c5b899b1846ce714b77fc6de2d64cdb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2664	2104	4c5b899b1846ce714b77fc6de2d64cdb.exe	16
PID 2104 wrote to memory of 2664	2104	4c5b899b1846ce714b77fc6de2d64cdb.exe	16
PID 2104 wrote to memory of 2664	2104	4c5b899b1846ce714b77fc6de2d64cdb.exe	16
PID 2104 wrote to memory of 2664	2104	4c5b899b1846ce714b77fc6de2d64cdb.exe	16

C:\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe
"C:\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe
  C:\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe

Filesize
79KB

MD5
c368d7f853e17be46d3d2ee26da0621c

SHA1
a72a388854949b6f5fbfa7ba045663f13f431eab

SHA256
c9e54d45fe6b6972895612a00647afef18098831517dc43a77cab3669cc688d4

SHA512
6f2868c900b7426172daeee9365eb469b33504a836bf576174dffee7c6c60351b4f54e269f431d2bf99a476dc061d66aec7e6ba659366ad52b2088279af39850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5BD8.tmp

Filesize
28KB

MD5
11d61379cf48466ce205ae626b6129ba

SHA1
57017a2f3057acfc07f1754fd878d58805e4e98b

SHA256
11c00dbe4d4ed56d80e623b9b1281efb5e0c9be250494f84c3392cf8dee66bff

SHA512
0caec33c4e623a99e4c42e016ed1841835151f4c929de7144f1a899c10468d9d14c4a22df5d421f273c88a95a20abe6d3ec4613811549d145826240818eea557

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C0A.tmp

Filesize
28KB

MD5
e53607d020fcc3f21c04e9b294782922

SHA1
ccda7f4c3e03713395450e25f0d87805f1228428

SHA256
ffeb8eb5ad660604f0ff9c31d55a02a07f766482b9cb567a990b46a16b8d9dca

SHA512
3441cf75865b92e184d48d2c1c51f0574a6cbf890cf4f0f3b8e50acf7fd6982980778a4280058228049c60ca635d660aa4d719b6e46ac3d98795f39bdb0a4185

Download Submit
\Users\Admin\AppData\Local\Temp\4c5b899b1846ce714b77fc6de2d64cdb.exe

Filesize
57KB

MD5
62c2feff88ed1f31160daf1fdeea47fc

SHA1
081d2fc3be5887a4c9aac2faf8ed16c088a95848

SHA256
de6b0139fdef80aa941460b71ec9d1fd61afc692792afc2f158bab6e48f39427

SHA512
f51295c0d39041ee22a9eb610bdcf2c826405ca0f18269cdb8489965f65e8b4c09cbd7a3c5160fc60103aff3a305d9378d15bc6390ccf47789d0c3f199154e6d

Download Submit
memory/2104-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2104-12-0x0000000002DF0000-0x0000000002E56000-memory.dmp

Filesize
408KB

Download
memory/2104-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2104-1-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2104-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2664-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-19-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2664-25-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2664-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2664-82-0x0000000008690000-0x00000000086CC000-memory.dmp

Filesize
240KB

Download
memory/2664-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download