35611dc0b8e0269ae1c7514d3e01b4062f25ca4696a1df6b25968b02c1dc9ed9

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f8315ab67e3cfd04edf48a27ae5930.exe
Size

385KB
MD5

52f8315ab67e3cfd04edf48a27ae5930
SHA1

a6cc430308f46bcdac589ae042bae0eb4867d0cc
SHA256

35611dc0b8e0269ae1c7514d3e01b4062f25ca4696a1df6b25968b02c1dc9ed9
SHA512

a2e75aeaf64a4c4535560c7859eccbefc86d91cc381e72973d3e04d7f98ee57a36ff546bb44865f7b3f69337333381ea39aead280837d17207da93ead0ab1869
SSDEEP

6144:I6VkulSuWcUVvQGGa6yXQVY/5Py72p8f2e8EWYR3YG1bLUxR2tram36B:IWk1lzpQGaW5Py72c29cIG1sxiP36B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3856	52f8315ab67e3cfd04edf48a27ae5930.exe

Executes dropped EXE 1 IoCs

pid	Process
3856	52f8315ab67e3cfd04edf48a27ae5930.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2040	52f8315ab67e3cfd04edf48a27ae5930.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	52f8315ab67e3cfd04edf48a27ae5930.exe
3856	52f8315ab67e3cfd04edf48a27ae5930.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3856	2040	52f8315ab67e3cfd04edf48a27ae5930.exe	91
PID 2040 wrote to memory of 3856	2040	52f8315ab67e3cfd04edf48a27ae5930.exe	91
PID 2040 wrote to memory of 3856	2040	52f8315ab67e3cfd04edf48a27ae5930.exe	91

C:\Users\Admin\AppData\Local\Temp\52f8315ab67e3cfd04edf48a27ae5930.exe
"C:\Users\Admin\AppData\Local\Temp\52f8315ab67e3cfd04edf48a27ae5930.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\52f8315ab67e3cfd04edf48a27ae5930.exe
  C:\Users\Admin\AppData\Local\Temp\52f8315ab67e3cfd04edf48a27ae5930.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52f8315ab67e3cfd04edf48a27ae5930.exe

Filesize
385KB

MD5
a5b6f56cc96df84b34a64e9f6b316c0e

SHA1
72776da727e56e5331322804a77a6c4d899e6808

SHA256
938dbd49a214de5a71cf1cae1b7416fdfd4d28a99fc051400d3cd0839fc40e4f

SHA512
f1f4f27f8865d6ff89e65b3ec5939d296a25332bf0e232098a8e136706a9cf07494937f0f84c4b3e415c60154ddce2cb0666d2f140610ba34e80940a29e12aa4

Download Submit
memory/2040-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-1-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/2040-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2040-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3856-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3856-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3856-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3856-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3856-31-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/3856-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3856-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download