b431b5b2d37e110322e5d6b1d88b4e959996673300b6ceafdbe15fb79be7d1b1

Analysis

max time kernel
83s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bda20e8c482c63f43db6a96165a36f8.exe
Size

907KB
MD5

5bda20e8c482c63f43db6a96165a36f8
SHA1

03a43f299835395e11ed13715f1a97c5fd1c2a2b
SHA256

b431b5b2d37e110322e5d6b1d88b4e959996673300b6ceafdbe15fb79be7d1b1
SHA512

e857f899363d105b476b07cf6513cee5c8427c3c9a972ef427929f0ea15ee47022bc3b8d173edfd0d69c81ba0e411415635749624a56fc03e3cd54c98354be48
SSDEEP

24576:V839POUMB32Dtn9/8Tln4TShdoela/ZS1:VCPOU232DtgnDhC6gS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3292	5bda20e8c482c63f43db6a96165a36f8.exe

Executes dropped EXE 1 IoCs

pid	Process
3292	5bda20e8c482c63f43db6a96165a36f8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3276	5bda20e8c482c63f43db6a96165a36f8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3276	5bda20e8c482c63f43db6a96165a36f8.exe
3292	5bda20e8c482c63f43db6a96165a36f8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3292	3276	5bda20e8c482c63f43db6a96165a36f8.exe	87
PID 3276 wrote to memory of 3292	3276	5bda20e8c482c63f43db6a96165a36f8.exe	87
PID 3276 wrote to memory of 3292	3276	5bda20e8c482c63f43db6a96165a36f8.exe	87

C:\Users\Admin\AppData\Local\Temp\5bda20e8c482c63f43db6a96165a36f8.exe
"C:\Users\Admin\AppData\Local\Temp\5bda20e8c482c63f43db6a96165a36f8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\5bda20e8c482c63f43db6a96165a36f8.exe
  C:\Users\Admin\AppData\Local\Temp\5bda20e8c482c63f43db6a96165a36f8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5bda20e8c482c63f43db6a96165a36f8.exe

Filesize
907KB

MD5
616c0ccd6b3312e5b1dffceffe8f218e

SHA1
b81d72315e5783435d57edba7dbbaf1c70a72354

SHA256
c34005a4ac0bd8be0a2717039efae3ecfd6865e2447f8ac98b14cec0121ffbc7

SHA512
5d309d720689e98e3855759378bba283ea26be13cf3b30eaeee2ce89d2ddd15e04cfa9af4d8c607441f378834619591938bbfdfd0f69840d897a7e286497bb8c

Download Submit
memory/3276-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3276-1-0x00000000017A0000-0x0000000001888000-memory.dmp

Filesize
928KB

Download
memory/3276-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3276-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3292-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3292-14-0x0000000001760000-0x0000000001848000-memory.dmp

Filesize
928KB

Download
memory/3292-20-0x00000000051A0000-0x000000000525B000-memory.dmp

Filesize
748KB

Download
memory/3292-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3292-31-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/3292-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download