6aebb1bd30a44d60aa0da63cdfa40100354d1cef47d182383acf73e317389be9

Analysis

max time kernel
163s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e9f59442ae1ccbc94aa2c0d41b067f8.exe
Size

771KB
MD5

4e9f59442ae1ccbc94aa2c0d41b067f8
SHA1

100108e9fbba2c9108687e732c839b07eccf4235
SHA256

6aebb1bd30a44d60aa0da63cdfa40100354d1cef47d182383acf73e317389be9
SHA512

9d0b86d705ef12fe7bfebe2f8fb3bf1317a53e2bf7a978e8ebdf5a20adf8debef577a259fad6b709f7bff7cdebbaa69520604411e303ad9b6dea9e28c877146b
SSDEEP

12288:thonvAlJ8msO75HjoqJtCVb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8BpH9PVB:tOvAb99joqKVb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	4e9f59442ae1ccbc94aa2c0d41b067f8.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	4e9f59442ae1ccbc94aa2c0d41b067f8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2060	4e9f59442ae1ccbc94aa2c0d41b067f8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2060	4e9f59442ae1ccbc94aa2c0d41b067f8.exe
2660	4e9f59442ae1ccbc94aa2c0d41b067f8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2660	2060	4e9f59442ae1ccbc94aa2c0d41b067f8.exe	87
PID 2060 wrote to memory of 2660	2060	4e9f59442ae1ccbc94aa2c0d41b067f8.exe	87
PID 2060 wrote to memory of 2660	2060	4e9f59442ae1ccbc94aa2c0d41b067f8.exe	87

C:\Users\Admin\AppData\Local\Temp\4e9f59442ae1ccbc94aa2c0d41b067f8.exe
"C:\Users\Admin\AppData\Local\Temp\4e9f59442ae1ccbc94aa2c0d41b067f8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\4e9f59442ae1ccbc94aa2c0d41b067f8.exe
  C:\Users\Admin\AppData\Local\Temp\4e9f59442ae1ccbc94aa2c0d41b067f8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e9f59442ae1ccbc94aa2c0d41b067f8.exe

Filesize
771KB

MD5
40e0c8fcc760116999da449958da8c33

SHA1
9301bc8282df6d6a156bd92a21b7117271fe00bc

SHA256
bb6e45573ae9d75e1e5b5cd62f755f061ad7bcba4f541831efeabcad11846301

SHA512
e067bddcccff1d7de434f4581365197f952b0f973c3cae365917babab0fca23e1b94d44d320b273bb0fdc8b24beeec3ac624107b717c769c756827e7cd7ad9af

Download Submit
memory/2060-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2060-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/2060-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2060-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2660-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2660-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/2660-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2660-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2660-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download