1480b1f0c6df4e5095d0d43017c898b9e406cd830b6dfe6c23ea97c78f600869

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d73339049bb1d49414ae4275b7f1694.exe
Size

771KB
MD5

4d73339049bb1d49414ae4275b7f1694
SHA1

2f85a4153232bb0005a6d112acc84fba8ff78556
SHA256

1480b1f0c6df4e5095d0d43017c898b9e406cd830b6dfe6c23ea97c78f600869
SHA512

1062371685e220e4645bb95cb7d6d47b22a5b28797091ca004576014eb0a275df139e9fcc65eae076303c8b8b62857e8fa166868bdeac04106b3877303e0d587
SSDEEP

24576:+YcOi6743ZBQQ8J59XNjtvZWqEIz6qrfiTMB:+YcP674JBQQ8ZXHZQe6q7iT2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4660	4d73339049bb1d49414ae4275b7f1694.exe

Executes dropped EXE 1 IoCs

pid	Process
4660	4d73339049bb1d49414ae4275b7f1694.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4728	4d73339049bb1d49414ae4275b7f1694.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4728	4d73339049bb1d49414ae4275b7f1694.exe
4660	4d73339049bb1d49414ae4275b7f1694.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4660	4728	4d73339049bb1d49414ae4275b7f1694.exe	49
PID 4728 wrote to memory of 4660	4728	4d73339049bb1d49414ae4275b7f1694.exe	49
PID 4728 wrote to memory of 4660	4728	4d73339049bb1d49414ae4275b7f1694.exe	49

C:\Users\Admin\AppData\Local\Temp\4d73339049bb1d49414ae4275b7f1694.exe
"C:\Users\Admin\AppData\Local\Temp\4d73339049bb1d49414ae4275b7f1694.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\4d73339049bb1d49414ae4275b7f1694.exe
  C:\Users\Admin\AppData\Local\Temp\4d73339049bb1d49414ae4275b7f1694.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d73339049bb1d49414ae4275b7f1694.exe

Filesize
71KB

MD5
727bce16fa77769debfc4865d264dc00

SHA1
bd391df486e1451b1c0cc09646c84a740e8e832a

SHA256
6f3251918c775f66f1c8f65bbabfd11a65706f158323c17bc08a59ddda87e2bc

SHA512
d6754f1ee38997b1e99f88e9a6daa07a843e687a5f6b1956f138905356e68d5f52514d1e87f4b81dca01952e32a0769590ddf4fd0d7840a01e0c9e530b4cd7d2

Download Submit
memory/4660-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4660-16-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/4660-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/4660-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4660-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4660-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4728-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4728-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4728-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4728-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download