9fc14e6546430aa5566e3953d9aade59e7c659c026b7046a4de4da61590e477e

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59126b9999716620a88cdce1f97e4836.exe
Size

385KB
MD5

59126b9999716620a88cdce1f97e4836
SHA1

c70e2d84bcc308215b895e4e435faee3bc2baa46
SHA256

9fc14e6546430aa5566e3953d9aade59e7c659c026b7046a4de4da61590e477e
SHA512

18bed4ed826550a12d221bc72173ed8ca8b333a0f3cfa9e30b2be0b03d3e19431fd7cd12cfb361fb55c92dde88d9fbdea61fc5a3c7a90b156c25950a749b7245
SSDEEP

12288:/skT+PnBdVmady5cZ2p9vUfoc5hHlhPisjB:/+/nBgce9ve97isjB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4684	59126b9999716620a88cdce1f97e4836.exe

Executes dropped EXE 1 IoCs

pid	Process
4684	59126b9999716620a88cdce1f97e4836.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4820	59126b9999716620a88cdce1f97e4836.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4820	59126b9999716620a88cdce1f97e4836.exe
4684	59126b9999716620a88cdce1f97e4836.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4684	4820	59126b9999716620a88cdce1f97e4836.exe	89
PID 4820 wrote to memory of 4684	4820	59126b9999716620a88cdce1f97e4836.exe	89
PID 4820 wrote to memory of 4684	4820	59126b9999716620a88cdce1f97e4836.exe	89

C:\Users\Admin\AppData\Local\Temp\59126b9999716620a88cdce1f97e4836.exe
"C:\Users\Admin\AppData\Local\Temp\59126b9999716620a88cdce1f97e4836.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\59126b9999716620a88cdce1f97e4836.exe
  C:\Users\Admin\AppData\Local\Temp\59126b9999716620a88cdce1f97e4836.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59126b9999716620a88cdce1f97e4836.exe

Filesize
385KB

MD5
abfbb6795a379e727cdc3fc25ccc0649

SHA1
8191bd611e829cbec0c7f30ae8fb71c32ca4e29a

SHA256
021ef387f70f771248cbed4cce4b83eedc9111e7837476cfb2304cc9c60efd20

SHA512
5a8bc538a1063ad2b7b0ed56e92e3f068fe9216c114374ac63020df54f5e8b734a56f1bbfc27fcabd329f3dbfd3ac85b8439375f98dc13a4680b2c7d70096b87

Download Submit
memory/4684-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4684-16-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/4684-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4684-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4684-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4684-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4820-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4820-1-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/4820-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4820-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download