fa32db3a5f80752b3da3a773eef20ddc2709626b4abe4a56c4941f8a51e65a34

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66204e1ee5aa17491da2eaa5fd020856.exe
Size

385KB
MD5

66204e1ee5aa17491da2eaa5fd020856
SHA1

105ef39173a008d3f8d44047d6eb9193e33f5c28
SHA256

fa32db3a5f80752b3da3a773eef20ddc2709626b4abe4a56c4941f8a51e65a34
SHA512

55e35e21eb0f12984d00d849ca832b8b643bc3164bcb3d4eecbafe43f9ae3119ba09f39439584a2952cd7f52d45665e4e0f80953fce1258a73024d0d453e61de
SSDEEP

6144:sLplgPOF2z2wgwXVEGlRySRXWVFctuOiC9mTjLGI+JYPf2OGOxJPit2J2L6csSFB:st6POF2zqwCGalFciLGdeR/JcxsSFB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4800	66204e1ee5aa17491da2eaa5fd020856.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	66204e1ee5aa17491da2eaa5fd020856.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3748	66204e1ee5aa17491da2eaa5fd020856.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3748	66204e1ee5aa17491da2eaa5fd020856.exe
4800	66204e1ee5aa17491da2eaa5fd020856.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4800	3748	66204e1ee5aa17491da2eaa5fd020856.exe	86
PID 3748 wrote to memory of 4800	3748	66204e1ee5aa17491da2eaa5fd020856.exe	86
PID 3748 wrote to memory of 4800	3748	66204e1ee5aa17491da2eaa5fd020856.exe	86

C:\Users\Admin\AppData\Local\Temp\66204e1ee5aa17491da2eaa5fd020856.exe
"C:\Users\Admin\AppData\Local\Temp\66204e1ee5aa17491da2eaa5fd020856.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\66204e1ee5aa17491da2eaa5fd020856.exe
  C:\Users\Admin\AppData\Local\Temp\66204e1ee5aa17491da2eaa5fd020856.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66204e1ee5aa17491da2eaa5fd020856.exe

Filesize
385KB

MD5
4e267ac2af83e2d526faf32e620b7f04

SHA1
6c44dbde52b0162a3a1c253207cb3e945e321a8a

SHA256
784228574f42da506ca2b664f81725651a4fe3ac6b2541897102ac7e94fd545b

SHA512
012ec431a30e144d30eebb23535324ad4edf2a59b9f81ddff0284ae476a71339e7f85042432e7dc9fea8e6656778c27f94917c3e27352805d3d4294fd4c67006

Download Submit
memory/3748-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3748-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/3748-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3748-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4800-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4800-16-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/4800-26-0x0000000004EF0000-0x0000000004F4F000-memory.dmp

Filesize
380KB

Download
memory/4800-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-33-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4800-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download