63d5324c921d348ddf5fd1de12dd526cf664ab49c47ff43a7497babc5a92e224

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bc42de51e462571e859e144a64efa4e.exe
Size

907KB
MD5

5bc42de51e462571e859e144a64efa4e
SHA1

827f28c3507748e3ed2ed1011126995f73b6c558
SHA256

63d5324c921d348ddf5fd1de12dd526cf664ab49c47ff43a7497babc5a92e224
SHA512

9636d89dde8f2aff73eb6643cdc505b0132bde585495005bf63eb6bca7ff7ca2a1ddeb03f50c2958c4eff8620d1121d6b176446291a5ebd9243ccf9cf28144a9
SSDEEP

12288:DrnW0ZqcjxafUBLP1omZgjsNc6oo8NqQCD9bcw2BCYOjVDa/ZS1:Drn3ZqcUq1CkO5UyRp8a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1532	5bc42de51e462571e859e144a64efa4e.exe

Executes dropped EXE 1 IoCs

pid	Process
1532	5bc42de51e462571e859e144a64efa4e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1192	5bc42de51e462571e859e144a64efa4e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1192	5bc42de51e462571e859e144a64efa4e.exe
1532	5bc42de51e462571e859e144a64efa4e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1532	1192	5bc42de51e462571e859e144a64efa4e.exe	91
PID 1192 wrote to memory of 1532	1192	5bc42de51e462571e859e144a64efa4e.exe	91
PID 1192 wrote to memory of 1532	1192	5bc42de51e462571e859e144a64efa4e.exe	91

C:\Users\Admin\AppData\Local\Temp\5bc42de51e462571e859e144a64efa4e.exe
"C:\Users\Admin\AppData\Local\Temp\5bc42de51e462571e859e144a64efa4e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\5bc42de51e462571e859e144a64efa4e.exe
  C:\Users\Admin\AppData\Local\Temp\5bc42de51e462571e859e144a64efa4e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5bc42de51e462571e859e144a64efa4e.exe

Filesize
339KB

MD5
ea8d444f515b5cc81754ab5ed35ceefe

SHA1
38f2f1b2f0958f4398aa0a3d25ae479535ec8d3c

SHA256
205126d8cf3a8d1b6fba33d8531f3ad02283d4f644e8dedc6e9900debe141192

SHA512
2ea6c77fb4fc16c349da55250c1dc4b801554aae72b71b67f37e6c4f50f932a6ee115822b6feb327f367a9d1cd4287790ba53a60b976d5be31ee30ed538a8500

Download Submit
memory/1192-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1192-1-0x0000000001800000-0x00000000018E8000-memory.dmp

Filesize
928KB

Download
memory/1192-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1192-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1532-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1532-16-0x0000000001720000-0x0000000001808000-memory.dmp

Filesize
928KB

Download
memory/1532-22-0x0000000005090000-0x000000000514B000-memory.dmp

Filesize
748KB

Download
memory/1532-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1532-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-34-0x000000000C820000-0x000000000C8B8000-memory.dmp

Filesize
608KB

Download