c14394b59c875b7ec19feb2ea74d80ef51b3e2d7280d7f4aa61bf936aebb45c6

Analysis

max time kernel
134s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57e94459d9acf66fec85505241b43b1e.exe
Size

385KB
MD5

57e94459d9acf66fec85505241b43b1e
SHA1

8ca7c3842033db2da89dd06238e9cc7a2b86dc0a
SHA256

c14394b59c875b7ec19feb2ea74d80ef51b3e2d7280d7f4aa61bf936aebb45c6
SHA512

577128de9b832e3de87cd1304e270f7a3ed7bfc348c1ef3e141526c2b66457d8f4defdde7c8e34b3df86026f901acba4d0c8dd0459f720761dac0b30b1ac3f3a
SSDEEP

6144:8prUCaOyZszfHbIPDpyPEqKRhGaJDeAsHrnFnmABtu9n1/TUggV81WjbPJxhqRum:8pjaOyyf7IF4KRh3JbAD6nVw3YWJDGtB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
324	57e94459d9acf66fec85505241b43b1e.exe

Executes dropped EXE 1 IoCs

pid	Process
324	57e94459d9acf66fec85505241b43b1e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3180	57e94459d9acf66fec85505241b43b1e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3180	57e94459d9acf66fec85505241b43b1e.exe
324	57e94459d9acf66fec85505241b43b1e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 324	3180	57e94459d9acf66fec85505241b43b1e.exe	88
PID 3180 wrote to memory of 324	3180	57e94459d9acf66fec85505241b43b1e.exe	88
PID 3180 wrote to memory of 324	3180	57e94459d9acf66fec85505241b43b1e.exe	88

C:\Users\Admin\AppData\Local\Temp\57e94459d9acf66fec85505241b43b1e.exe
"C:\Users\Admin\AppData\Local\Temp\57e94459d9acf66fec85505241b43b1e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\57e94459d9acf66fec85505241b43b1e.exe
  C:\Users\Admin\AppData\Local\Temp\57e94459d9acf66fec85505241b43b1e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57e94459d9acf66fec85505241b43b1e.exe

Filesize
385KB

MD5
d6647475d07b1f94940d2ca06a72f57e

SHA1
2142e7494c53b8ec98321625d4b32b25c9d0e8c2

SHA256
cd2f8e94b4a5513505fbf5e4a5911ffb14a6c2a4913d00e69f53b1214786e9c3

SHA512
fb3a5e47491392701829eeb41b29603992a7fb7067d451d39faba9964b2181ff2d0309daf8bb788dd1c21e890a3cd2a322eecaa4843832efe3a8a73a11b4fcb9

Download Submit
memory/324-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/324-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/324-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/324-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/324-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/324-31-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/324-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3180-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3180-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3180-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3180-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download