56fce36bfab7bb62a96d7aae9312b1b096ee07d7f3fa15eb8aa55b290cb00bf0

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56017a5cd35eb55c433634478af2992d.exe
Size

1.5MB
MD5

56017a5cd35eb55c433634478af2992d
SHA1

e65083fcdccbe78d22fee967b098aa40e61816f4
SHA256

56fce36bfab7bb62a96d7aae9312b1b096ee07d7f3fa15eb8aa55b290cb00bf0
SHA512

445e4057d893f74aadec3bd880546555d3b6ba80abe7338c3685d4e78b27eacc40d87fe1fca1defac8a487d37e9bd471a3d3b56c61959842eae3d0661f80d351
SSDEEP

24576:ITKrfd5pCX0fdwb10hJaothZ2/T6FBBTqnZ8nUPDmb10hJaothZ2/T6FBBT:IslxfdC/ofNqnSnoM/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1528	56017a5cd35eb55c433634478af2992d.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	56017a5cd35eb55c433634478af2992d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3488	56017a5cd35eb55c433634478af2992d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3488	56017a5cd35eb55c433634478af2992d.exe
1528	56017a5cd35eb55c433634478af2992d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 1528	3488	56017a5cd35eb55c433634478af2992d.exe	90
PID 3488 wrote to memory of 1528	3488	56017a5cd35eb55c433634478af2992d.exe	90
PID 3488 wrote to memory of 1528	3488	56017a5cd35eb55c433634478af2992d.exe	90

C:\Users\Admin\AppData\Local\Temp\56017a5cd35eb55c433634478af2992d.exe
"C:\Users\Admin\AppData\Local\Temp\56017a5cd35eb55c433634478af2992d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\56017a5cd35eb55c433634478af2992d.exe
  C:\Users\Admin\AppData\Local\Temp\56017a5cd35eb55c433634478af2992d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56017a5cd35eb55c433634478af2992d.exe

Filesize
1.5MB

MD5
02bc3412864fdccc505ccb95d922491b

SHA1
d0a2d049c01c39556738e40a1cb21ac1843db3b2

SHA256
077955ec4aaf71d61f505179c45d9e7a22b51574d37a22d9bba3190e1f317241

SHA512
73a25880dfb0cf6064c47eaba7c707f894d0675cb4c33e93932c5126970f8d4575cc2db9e4b82278708f9cf6cc320d8f30d3355cc95359ecccf45e99f1abd492

Download Submit
memory/1528-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1528-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1528-20-0x0000000001610000-0x000000000166F000-memory.dmp

Filesize
380KB

Download
memory/1528-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1528-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/1528-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3488-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3488-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3488-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3488-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download