be39256888557415519f9d008210e9d41831bc592e4fc72fb2f8849bbc0fec8c

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c3f94d28f17b0b5da7fb0642353b4b5.exe
Size

771KB
MD5

5c3f94d28f17b0b5da7fb0642353b4b5
SHA1

f502760facec20b707e097d375e4ef0e4656bdba
SHA256

be39256888557415519f9d008210e9d41831bc592e4fc72fb2f8849bbc0fec8c
SHA512

d9a0c1370c4fa93414f77a7b0adde41f846a4b328bbcd8342a633d51f568c7862fb0fd5df3c82d6344823c4cdf9c12c8f822efb9bcd46321ec1416ab46744e0d
SSDEEP

12288:skF9uqJUxbT51NXuJcjrObw2Gb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8BpH9r:dF9PJUx/DESrzdb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4828	5c3f94d28f17b0b5da7fb0642353b4b5.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	5c3f94d28f17b0b5da7fb0642353b4b5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3460	5c3f94d28f17b0b5da7fb0642353b4b5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3460	5c3f94d28f17b0b5da7fb0642353b4b5.exe
4828	5c3f94d28f17b0b5da7fb0642353b4b5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4828	3460	5c3f94d28f17b0b5da7fb0642353b4b5.exe	88
PID 3460 wrote to memory of 4828	3460	5c3f94d28f17b0b5da7fb0642353b4b5.exe	88
PID 3460 wrote to memory of 4828	3460	5c3f94d28f17b0b5da7fb0642353b4b5.exe	88

C:\Users\Admin\AppData\Local\Temp\5c3f94d28f17b0b5da7fb0642353b4b5.exe
"C:\Users\Admin\AppData\Local\Temp\5c3f94d28f17b0b5da7fb0642353b4b5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\5c3f94d28f17b0b5da7fb0642353b4b5.exe
  C:\Users\Admin\AppData\Local\Temp\5c3f94d28f17b0b5da7fb0642353b4b5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c3f94d28f17b0b5da7fb0642353b4b5.exe

Filesize
771KB

MD5
c26651b7e2e9bd06baf7411e1b31bb65

SHA1
2f21bb4c5085e7fd269abe4ae151fbf71af72852

SHA256
6c799e05f4cd3e8b5b0bd913c5f450c51bbb2da0a254af7b4ec2d3c78ea17840

SHA512
9cfc401d88c8d5cefd0a804a5d84fcd36b50c0c8fabd16cdfdc4e9c951a0b66b441e05fd7cd48cb169f7b0137eb85ff6cc0fa0bd7cb1b59b409d7f68f47614da

Download Submit
memory/3460-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3460-1-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/3460-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3460-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4828-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4828-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4828-20-0x0000000001630000-0x000000000168F000-memory.dmp

Filesize
380KB

Download
memory/4828-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-32-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/4828-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4828-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download