d7d72047668dcb2ee52cff4c42b050ada846c97d2e69da7ddabe5bbdb5b4d597

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59049a69869e45e5782ac8bd309b3194.exe
Size

385KB
MD5

59049a69869e45e5782ac8bd309b3194
SHA1

10907a3ef574742ff0937d6ad54078d9d1b2f755
SHA256

d7d72047668dcb2ee52cff4c42b050ada846c97d2e69da7ddabe5bbdb5b4d597
SHA512

cce90a12699794197f8fa27cf5068ebd88dec349766f0e464ce8c6a65fb3fea5dfec49451779ebd3511a8f872a9b5e0b55c4aea557ad6571534ff70ea529faa7
SSDEEP

6144:uGZV5ZuP8uWRLNe2dxZ0SIt3B6rsuprW3j723Cj9WliXr1g7BHLimB:DTruPa5e2dxZGB7ziCMl21g9H2mB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3720	59049a69869e45e5782ac8bd309b3194.exe

Executes dropped EXE 1 IoCs

pid	Process
3720	59049a69869e45e5782ac8bd309b3194.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4580	59049a69869e45e5782ac8bd309b3194.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4580	59049a69869e45e5782ac8bd309b3194.exe
3720	59049a69869e45e5782ac8bd309b3194.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3720	4580	59049a69869e45e5782ac8bd309b3194.exe	88
PID 4580 wrote to memory of 3720	4580	59049a69869e45e5782ac8bd309b3194.exe	88
PID 4580 wrote to memory of 3720	4580	59049a69869e45e5782ac8bd309b3194.exe	88

C:\Users\Admin\AppData\Local\Temp\59049a69869e45e5782ac8bd309b3194.exe
"C:\Users\Admin\AppData\Local\Temp\59049a69869e45e5782ac8bd309b3194.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\59049a69869e45e5782ac8bd309b3194.exe
  C:\Users\Admin\AppData\Local\Temp\59049a69869e45e5782ac8bd309b3194.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59049a69869e45e5782ac8bd309b3194.exe

Filesize
385KB

MD5
a828022c693f0161fb03f0769eb4f57f

SHA1
feb8417f0fe966be16b2edfebc0bd9a882e57473

SHA256
5ed76ef1eb237bec185e66d149fb32b086e0a78e76ecf1317ac63fb4df1ea92d

SHA512
fea8da1bcd2a5e43770c2c068a3a1b20f135a4852a425a2ce164888061e78238697a9cb6696011d1236b6f035cdd2c31056f1bb8c6be36363f09a1d8b0facdad

Download Submit
memory/3720-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3720-14-0x0000000001640000-0x00000000016A6000-memory.dmp

Filesize
408KB

Download
memory/3720-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3720-21-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/3720-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3720-34-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/3720-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4580-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4580-1-0x0000000001610000-0x0000000001676000-memory.dmp

Filesize
408KB

Download
memory/4580-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4580-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download