b90718d8bddbcc9b4acbbcc7b8732d0f7f424a065b29a78545a741636d1ee877

Analysis

max time kernel
146s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fb8238392f5620233751ecde4092b84.exe
Size

771KB
MD5

4fb8238392f5620233751ecde4092b84
SHA1

08bc114fff86109bbb4169ca4ac1eb770a9bf680
SHA256

b90718d8bddbcc9b4acbbcc7b8732d0f7f424a065b29a78545a741636d1ee877
SHA512

f3c29ed8755419781df04cc61f435e48c4079d478bc5a1bba81b58a00b60ace0deeddad2f09c8ddd95eb1582ccf4e652f34cc4203f989462d95dbd12b599ae8f
SSDEEP

24576:ixuoMBMIdW+xD0I6hRozTCPtb10hJaothZ2/T6FBBB:ixuoMBMIdt0I6hRKTKB/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3904	4fb8238392f5620233751ecde4092b84.exe

Executes dropped EXE 1 IoCs

pid	Process
3904	4fb8238392f5620233751ecde4092b84.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4996	4fb8238392f5620233751ecde4092b84.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4996	4fb8238392f5620233751ecde4092b84.exe
3904	4fb8238392f5620233751ecde4092b84.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3904	4996	4fb8238392f5620233751ecde4092b84.exe	90
PID 4996 wrote to memory of 3904	4996	4fb8238392f5620233751ecde4092b84.exe	90
PID 4996 wrote to memory of 3904	4996	4fb8238392f5620233751ecde4092b84.exe	90

C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
"C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
  C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fb8238392f5620233751ecde4092b84.exe

Filesize
28KB

MD5
dfe5e4d39413bad7be37668bbbdeb172

SHA1
c11c4b4eb7a14a3cf144c5437a66a9b96e3b7b5c

SHA256
b8d2d5260d6610705c49b8814407f821b51ffa7436592ded5b35fe75d835bc71

SHA512
47da1d139b737a9c4daec9a727a370310a9ab694b90885ace379bf3d4771642353724decf8bf315e7543aed03ee43ca39c8b90f5ca61e6da0b4f92223d783b19

Download Submit
memory/3904-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3904-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/3904-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3904-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3904-35-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3904-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4996-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4996-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4996-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4996-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download