b9e872814fe2d4ec744a4352a68b241a73919af8e0130c571d544779af11819b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe
Size

385KB
MD5

5a95d6c4120fc1fa4a6abfe8f3c6d1ad
SHA1

6559eb45740d22de42cb92df4de54bee2826ada4
SHA256

b9e872814fe2d4ec744a4352a68b241a73919af8e0130c571d544779af11819b
SHA512

6e970e811ecd9a8256b01176ccbcd648c7b7f9b5c5ad1f5324f6b2917a58de01e1b22f4b8ede17453d9c73b764a455591144a0736f73d213df07e7ad31d30b03
SSDEEP

12288:VM80Zh8VE7kQ4d1PCcv/zSlNsmdv6LyvJA1B:KPkac3z6fdSL2IB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
464	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe

Executes dropped EXE 1 IoCs

pid	Process
464	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4668	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4668	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe
464	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 464	4668	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe	89
PID 4668 wrote to memory of 464	4668	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe	89
PID 4668 wrote to memory of 464	4668	5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe	89

C:\Users\Admin\AppData\Local\Temp\5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe
"C:\Users\Admin\AppData\Local\Temp\5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe
  C:\Users\Admin\AppData\Local\Temp\5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a95d6c4120fc1fa4a6abfe8f3c6d1ad.exe

Filesize
105KB

MD5
94441609fa183c0388167c9ed3d60ca0

SHA1
da120fa957d0a597801aac54410c0f20a701ed76

SHA256
a932c54e681f4a555dc2d942f29d3f546bedb564eeb7d5c9c4b408b01077f62d

SHA512
fe13a959abf0901b96327da997a83996de993415545ba66b40b05b4cf25215dac02b8e13aab2d129e38008ec0d70569121b3cc9c94be8511c803e2c99362b5b9

Download Submit
memory/464-24-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/464-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/464-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/464-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/464-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/464-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/464-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/464-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4668-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4668-1-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/4668-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4668-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download