a60b310bb5e53515c319e765ce0f04f83b16703f7910c44228eda35741ab0b86

Analysis

max time kernel
88s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6439825726ab2c6d37be560ab2372ed8.exe
Size

771KB
MD5

6439825726ab2c6d37be560ab2372ed8
SHA1

b3332fe2470d74342fe8fa32b874b49c6ae918ca
SHA256

a60b310bb5e53515c319e765ce0f04f83b16703f7910c44228eda35741ab0b86
SHA512

90d2cb965b9cce40086be969685dfd81baf9beac1743dc1c519c5f60b141d88367726663bff563613a6906d2d5dada130c7cddb2da0a58a288bd920c5d18353c
SSDEEP

12288:Hx2X1IVs7a11XAcnl3zcv51LBg3PzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:HoCVsaXlDcvfBg3tvZWqEIz6qrfiTMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3088	6439825726ab2c6d37be560ab2372ed8.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	6439825726ab2c6d37be560ab2372ed8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
740	6439825726ab2c6d37be560ab2372ed8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
740	6439825726ab2c6d37be560ab2372ed8.exe
3088	6439825726ab2c6d37be560ab2372ed8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3088	740	6439825726ab2c6d37be560ab2372ed8.exe	25
PID 740 wrote to memory of 3088	740	6439825726ab2c6d37be560ab2372ed8.exe	25
PID 740 wrote to memory of 3088	740	6439825726ab2c6d37be560ab2372ed8.exe	25

C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
"C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
  C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe

Filesize
163KB

MD5
9771aa9bb44644cbf084989060cea6ff

SHA1
86c5bcf467da6b058c7ee7602c35656e9cd22944

SHA256
5163118b3be0f9fe9477d7a620f5918d755d5de1b37a67297be4261938844075

SHA512
c2695555fac5ea1efef171c60bdb1d32fc397707e077d464f422e0bb799bdaa18527c0bc9a12b4da8793dab49469b3540d56d88e37f255a17d185c02e8513fec

Download Submit
memory/740-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/740-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/740-1-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/740-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3088-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3088-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3088-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3088-20-0x00000000015D0000-0x000000000162F000-memory.dmp

Filesize
380KB

Download
memory/3088-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3088-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3088-34-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download