c8ddd19732267bf72f6b8ce59d6977dce9acbe4f3534b4b554fa3f1f45833769

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

562b2bec6855d6ec61ff1e6218c48de4.exe
Size

385KB
MD5

562b2bec6855d6ec61ff1e6218c48de4
SHA1

806d2cba2c32d1562f5c0d6a8a952092a018b144
SHA256

c8ddd19732267bf72f6b8ce59d6977dce9acbe4f3534b4b554fa3f1f45833769
SHA512

d1d255806766630b558511f6fd767c2b1d7564a28e8fd4feef5d61d1c9e13510f5ebff1b67df71b097d73c2fb2e82b78f92ae0cd3dd5bd0cc3ef1be78369ea74
SSDEEP

12288:sgef29ChD/jb8Mv1u5/B7uHb5ashTq/S75B:xH9Chz/LcJ765/hTeSVB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4232	562b2bec6855d6ec61ff1e6218c48de4.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	562b2bec6855d6ec61ff1e6218c48de4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3796	562b2bec6855d6ec61ff1e6218c48de4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3796	562b2bec6855d6ec61ff1e6218c48de4.exe
4232	562b2bec6855d6ec61ff1e6218c48de4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4232	3796	562b2bec6855d6ec61ff1e6218c48de4.exe	87
PID 3796 wrote to memory of 4232	3796	562b2bec6855d6ec61ff1e6218c48de4.exe	87
PID 3796 wrote to memory of 4232	3796	562b2bec6855d6ec61ff1e6218c48de4.exe	87

C:\Users\Admin\AppData\Local\Temp\562b2bec6855d6ec61ff1e6218c48de4.exe
"C:\Users\Admin\AppData\Local\Temp\562b2bec6855d6ec61ff1e6218c48de4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\562b2bec6855d6ec61ff1e6218c48de4.exe
  C:\Users\Admin\AppData\Local\Temp\562b2bec6855d6ec61ff1e6218c48de4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\562b2bec6855d6ec61ff1e6218c48de4.exe

Filesize
64KB

MD5
11ae07c368bf479e6a2d3e3240469353

SHA1
337ffaf705a7b996de0f407cac4a7c6a1c44e277

SHA256
c0570c2e9989dd5ce8c9b7e8a86cd3cfae1a15a3a0495f25922fd3649f53e241

SHA512
e2b153647e08179beb958f5212269a8041b0874c824cfbe9620b33c76f638d5090e4089413b38a80ef942c2d0408f5386006ad5d1fc49f784b886ad76398fb2b

Download Submit
memory/3796-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3796-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3796-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3796-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4232-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4232-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4232-15-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/4232-36-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4232-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4232-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4232-37-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download