7a553f600b66cec9f25489890bec7c310950de1f188b4a6b646c2929e09f5fc1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59651299a440700c2aac29ff98182cf8.exe
Size

907KB
MD5

59651299a440700c2aac29ff98182cf8
SHA1

0068f715a68fa1355d82f705aedab288004be970
SHA256

7a553f600b66cec9f25489890bec7c310950de1f188b4a6b646c2929e09f5fc1
SHA512

9e1376623e291d532027b4ddbb3dd325c482a0fc3e617b94be6e2b714364f909b85261bb9922182a9b56351f0f2d3c309ebd06a80847ba598258fb1bb4f326f3
SSDEEP

24576:Aqq4/mqaIVKdVgX0n/Uv85Zok6DAiQG1/jwI/a/ZS1:Vbe2VKdVMw/Uv85mtdQGRjr/gS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3952	59651299a440700c2aac29ff98182cf8.exe

Executes dropped EXE 1 IoCs

pid	Process
3952	59651299a440700c2aac29ff98182cf8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4144	59651299a440700c2aac29ff98182cf8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4144	59651299a440700c2aac29ff98182cf8.exe
3952	59651299a440700c2aac29ff98182cf8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3952	4144	59651299a440700c2aac29ff98182cf8.exe	90
PID 4144 wrote to memory of 3952	4144	59651299a440700c2aac29ff98182cf8.exe	90
PID 4144 wrote to memory of 3952	4144	59651299a440700c2aac29ff98182cf8.exe	90

C:\Users\Admin\AppData\Local\Temp\59651299a440700c2aac29ff98182cf8.exe
"C:\Users\Admin\AppData\Local\Temp\59651299a440700c2aac29ff98182cf8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\59651299a440700c2aac29ff98182cf8.exe
  C:\Users\Admin\AppData\Local\Temp\59651299a440700c2aac29ff98182cf8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59651299a440700c2aac29ff98182cf8.exe

Filesize
147KB

MD5
89941da9d3f1656531fbaab4de077bb0

SHA1
9375c8ef6f14f0d585834aaec573165c1f1e8655

SHA256
dcd5513cca7384370319c1794f215749ef1dd0dff637fda2b53d901a8db767fe

SHA512
edd12a77080ac4fde37d101a609e2c2d2b3fe7a612b4932034f85ba321f5640825ff89b4b25760a02c1ce12388f4ec4765e3d9f5a78819da2f5990e9565156f0

Download Submit
memory/3952-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3952-15-0x0000000001630000-0x0000000001718000-memory.dmp

Filesize
928KB

Download
memory/3952-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3952-20-0x0000000005180000-0x000000000523B000-memory.dmp

Filesize
748KB

Download
memory/3952-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-32-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/4144-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4144-1-0x0000000001700000-0x00000000017E8000-memory.dmp

Filesize
928KB

Download
memory/4144-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4144-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download