a2d3a8b2cb7808834385da79185bc1b54d686add46d161fdf398f11e3395276a

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55617546e835c8b3fc106f95d42337a3.exe
Size

385KB
MD5

55617546e835c8b3fc106f95d42337a3
SHA1

a78d572876affc71b47a621763dd05bfb5b23e4e
SHA256

a2d3a8b2cb7808834385da79185bc1b54d686add46d161fdf398f11e3395276a
SHA512

42ee231a40d686c59bab3acd06bb7106ef32557d11bbc66601316cc4b7ad650793f4e3498b9bc9aff51493ec1ac76a581423b265c9584437d50164371dee0b24
SSDEEP

6144:nZGa1E7kfAMC4rSrgRSvfqcz5QLOc3QFlsbs8tieFUFsWB:n245xRSVz5l6QFMsa5ssWB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	55617546e835c8b3fc106f95d42337a3.exe

Executes dropped EXE 1 IoCs

pid	Process
1936	55617546e835c8b3fc106f95d42337a3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2128	55617546e835c8b3fc106f95d42337a3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2128	55617546e835c8b3fc106f95d42337a3.exe
1936	55617546e835c8b3fc106f95d42337a3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1936	2128	55617546e835c8b3fc106f95d42337a3.exe	93
PID 2128 wrote to memory of 1936	2128	55617546e835c8b3fc106f95d42337a3.exe	93
PID 2128 wrote to memory of 1936	2128	55617546e835c8b3fc106f95d42337a3.exe	93

C:\Users\Admin\AppData\Local\Temp\55617546e835c8b3fc106f95d42337a3.exe
"C:\Users\Admin\AppData\Local\Temp\55617546e835c8b3fc106f95d42337a3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\55617546e835c8b3fc106f95d42337a3.exe
  C:\Users\Admin\AppData\Local\Temp\55617546e835c8b3fc106f95d42337a3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55617546e835c8b3fc106f95d42337a3.exe

Filesize
385KB

MD5
3ce9a707c6815797bd62145961f95c8d

SHA1
9d07d05e22db2712beb873b75da677ef9ffa5e39

SHA256
ed9991a66cea3571aa18c3a94abbcb745055a8a563bb4cc44276dfe532e2857b

SHA512
ac0abb9cee0fe55d7618d50cf8ed859ed7bcc55d2b419636e469b6f1b7f90e7bdd235479471b0e0b7ab515a8c8798ea182fcbc7adab5dd03f8cce2b540744256

Download Submit
memory/1936-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1936-15-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/1936-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1936-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1936-33-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/1936-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2128-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2128-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2128-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2128-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download