0f1a7b6bd4393dda8a9fbcffa0fc1a8d0f6578cc721b8eaa119754634cb9e88a

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a060e4d25aefd606515fc954e4383ff.exe
Size

385KB
MD5

5a060e4d25aefd606515fc954e4383ff
SHA1

ca64a2e4ef9a0466c4f82e8c935f3c2750e69d7f
SHA256

0f1a7b6bd4393dda8a9fbcffa0fc1a8d0f6578cc721b8eaa119754634cb9e88a
SHA512

8b5d8031d6d020838dce6fa05d452ecd93a77bddeb8072c8d54c1fe15e7d9187c12b7f7556986ffeb0c8e44593e07cac947de54765a0b0578dbe229494830565
SSDEEP

6144:u//Rzaoq/zfOqwxatODpljnc3H9vydvK29LEEl3yMhUb6kTceFZIT//AuPVB:upa5zfOqcKO03Nugk3yggFZv8B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
996	5a060e4d25aefd606515fc954e4383ff.exe

Executes dropped EXE 1 IoCs

pid	Process
996	5a060e4d25aefd606515fc954e4383ff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4208	5a060e4d25aefd606515fc954e4383ff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4208	5a060e4d25aefd606515fc954e4383ff.exe
996	5a060e4d25aefd606515fc954e4383ff.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 996	4208	5a060e4d25aefd606515fc954e4383ff.exe	18
PID 4208 wrote to memory of 996	4208	5a060e4d25aefd606515fc954e4383ff.exe	18
PID 4208 wrote to memory of 996	4208	5a060e4d25aefd606515fc954e4383ff.exe	18

C:\Users\Admin\AppData\Local\Temp\5a060e4d25aefd606515fc954e4383ff.exe
"C:\Users\Admin\AppData\Local\Temp\5a060e4d25aefd606515fc954e4383ff.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\5a060e4d25aefd606515fc954e4383ff.exe
  C:\Users\Admin\AppData\Local\Temp\5a060e4d25aefd606515fc954e4383ff.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a060e4d25aefd606515fc954e4383ff.exe

Filesize
96KB

MD5
53461a85d5ec8bd46b67e8917d75cdcc

SHA1
d022331f981283367b27c90e01137fbd5874111a

SHA256
fcc45c8a82b1811170b21becaa738637708e55437f0129e7892ca9435bcd7f6c

SHA512
e2bb18248eec5c301c204b9f9f0ff22ef958f8604e9458a078a58eb916570d163cef4e10fbd4a5a9896eb756b6b7580bd22e499aaabe92caadbff9f0d25b55e1

Download Submit
memory/996-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/996-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/996-21-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/996-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/996-34-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/996-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/996-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4208-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4208-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4208-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4208-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download