dea629be4857209a3a50ae870d22b93ca8e4692bd2af52d2d70cf7cfdfced664

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ca800aa9a8804ae4d697fb3818901e.exe
Size

385KB
MD5

53ca800aa9a8804ae4d697fb3818901e
SHA1

28d79bb42f74672f0b9c5b98ac1491bcf87e8558
SHA256

dea629be4857209a3a50ae870d22b93ca8e4692bd2af52d2d70cf7cfdfced664
SHA512

1cb10af85ad92ebb143f6a7d743c13398f469f8f42d30f6c60233615030a80972d1884abdaceb8f5df19d2562c651352b28f447a7f9663b701896d3c46902666
SSDEEP

6144:NwBGsDyBa2leh+R0u67vdV2ROhJ1oMWbqQvH17KdBUfhi+XpVGj0WArlCoe5B:NwdZzCV6HB31xWzedyT2jzws5B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1216	53ca800aa9a8804ae4d697fb3818901e.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	53ca800aa9a8804ae4d697fb3818901e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4528	53ca800aa9a8804ae4d697fb3818901e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4528	53ca800aa9a8804ae4d697fb3818901e.exe
1216	53ca800aa9a8804ae4d697fb3818901e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1216	4528	53ca800aa9a8804ae4d697fb3818901e.exe	88
PID 4528 wrote to memory of 1216	4528	53ca800aa9a8804ae4d697fb3818901e.exe	88
PID 4528 wrote to memory of 1216	4528	53ca800aa9a8804ae4d697fb3818901e.exe	88

C:\Users\Admin\AppData\Local\Temp\53ca800aa9a8804ae4d697fb3818901e.exe
"C:\Users\Admin\AppData\Local\Temp\53ca800aa9a8804ae4d697fb3818901e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\53ca800aa9a8804ae4d697fb3818901e.exe
  C:\Users\Admin\AppData\Local\Temp\53ca800aa9a8804ae4d697fb3818901e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53ca800aa9a8804ae4d697fb3818901e.exe

Filesize
385KB

MD5
b9d3164c55370a6d6dd3d6b99fb719a7

SHA1
662be9f3db71a6d63662be4cd519a4f5b31c42da

SHA256
edbc81f986a7fa7dd5fbc10267b3b79cc42eae9901c4c8ffc488cdf3e7ea817a

SHA512
a09681605f8f25d6dd244068daa57fe74f417c565c8301c24ab706db1762e75d367083d396657189588383ac75899346350f5895bb728f024ec0975903756f6c

Download Submit
memory/1216-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1216-15-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1216-20-0x0000000004F20000-0x0000000004F7F000-memory.dmp

Filesize
380KB

Download
memory/1216-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-34-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1216-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4528-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4528-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4528-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4528-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download