918a6b486ff6f08d02cabe08520ae6f4a83f31edbb56ee0256d70940acea5c10

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e4fdba8a2178eb8509841de4f33e37.exe
Size

385KB
MD5

58e4fdba8a2178eb8509841de4f33e37
SHA1

3890a22ccf39e4f93b4e0475020268c0eb3caa39
SHA256

918a6b486ff6f08d02cabe08520ae6f4a83f31edbb56ee0256d70940acea5c10
SHA512

d83709257dabd9b1f1b4fab1e994d7503ecb8f63d0e672e348d11aa602ee2e6a3663cf1a70471200bed2120f0d514e092631625405a2419bc9f8d0cf06e72d7d
SSDEEP

6144:x6rOl8ljNA4fYp2CyNS2wVpz2JYtL0yUuF09/HC/9hO5lHblohzIXNpy7B:x6OlS8hpSs5UkjfO5lHbYqIB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5028	58e4fdba8a2178eb8509841de4f33e37.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	58e4fdba8a2178eb8509841de4f33e37.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	58e4fdba8a2178eb8509841de4f33e37.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2316	58e4fdba8a2178eb8509841de4f33e37.exe
5028	58e4fdba8a2178eb8509841de4f33e37.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 5028	2316	58e4fdba8a2178eb8509841de4f33e37.exe	87
PID 2316 wrote to memory of 5028	2316	58e4fdba8a2178eb8509841de4f33e37.exe	87
PID 2316 wrote to memory of 5028	2316	58e4fdba8a2178eb8509841de4f33e37.exe	87

C:\Users\Admin\AppData\Local\Temp\58e4fdba8a2178eb8509841de4f33e37.exe
"C:\Users\Admin\AppData\Local\Temp\58e4fdba8a2178eb8509841de4f33e37.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\58e4fdba8a2178eb8509841de4f33e37.exe
  C:\Users\Admin\AppData\Local\Temp\58e4fdba8a2178eb8509841de4f33e37.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58e4fdba8a2178eb8509841de4f33e37.exe

Filesize
385KB

MD5
8f6d97e496462ffca70eb1b58f692975

SHA1
df95056383b40a2128917ed9e9eb06fa56c20624

SHA256
11471db15270350d7cfc8790eac406d3bd0c00e746980fb2349132575bfd8286

SHA512
b6c9efb3e9c05b4df96416372554f01c338d7e3c735388ed58d38600aabbef90a338fdb251eab96c9b02d2574fdc705262beb5e743c69c7ddddf00a32101772a

Download Submit
memory/2316-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2316-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2316-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2316-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5028-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5028-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/5028-20-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/5028-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5028-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/5028-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download