208fea7f3e9f7c7f19e906a74429ab025851e21b22444650316503ec197612d2

Analysis

max time kernel
172s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50be72cb1e50c5ad47204d6ce29cb80d.exe
Size

385KB
MD5

50be72cb1e50c5ad47204d6ce29cb80d
SHA1

8a6ef27a803ca4d1e38124daf1f0abc7fe9a1fc2
SHA256

208fea7f3e9f7c7f19e906a74429ab025851e21b22444650316503ec197612d2
SHA512

05aa3872611f1f1273b07a114df35598a87827afe890e68a3b4006f3bb8fe0f95c76fadf2ebbfc8d6cf1d78d5db20e459454dcbcfb7ef031619e2ae1d50c73cb
SSDEEP

12288:kaK1XwOW6LOvATybWIkpmlmiAD+03+Ys/FjMB:e1AOW6LOoTuWMmie+YUjMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3480	50be72cb1e50c5ad47204d6ce29cb80d.exe

Executes dropped EXE 1 IoCs

pid	Process
3480	50be72cb1e50c5ad47204d6ce29cb80d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1092	50be72cb1e50c5ad47204d6ce29cb80d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1092	50be72cb1e50c5ad47204d6ce29cb80d.exe
3480	50be72cb1e50c5ad47204d6ce29cb80d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 3480	1092	50be72cb1e50c5ad47204d6ce29cb80d.exe	90
PID 1092 wrote to memory of 3480	1092	50be72cb1e50c5ad47204d6ce29cb80d.exe	90
PID 1092 wrote to memory of 3480	1092	50be72cb1e50c5ad47204d6ce29cb80d.exe	90

C:\Users\Admin\AppData\Local\Temp\50be72cb1e50c5ad47204d6ce29cb80d.exe
"C:\Users\Admin\AppData\Local\Temp\50be72cb1e50c5ad47204d6ce29cb80d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\50be72cb1e50c5ad47204d6ce29cb80d.exe
  C:\Users\Admin\AppData\Local\Temp\50be72cb1e50c5ad47204d6ce29cb80d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50be72cb1e50c5ad47204d6ce29cb80d.exe

Filesize
127KB

MD5
353e95ee3c6a9751646c7a1092355d86

SHA1
b4868678e883933b049c5a6cf5b1e54177f0a91b

SHA256
08459f5bec8e47736edfdc5e428224df1b7348068c0bf124661688cca7174728

SHA512
fd70500ccee576aaf446fe6a0d447758cb46f1b04ba05cbc361bde762a973c4e735f1e24553d7cd6ed31fea4ebd9bec1093f9f6fbb548a7788cea6e954793f64

Download Submit
memory/1092-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1092-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1092-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1092-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3480-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3480-15-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/3480-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3480-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3480-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3480-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download