6abfe0c4e55faa9c11eed7cdb79c817f2b342523d42d7bb591635edc4bd70d5b

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64d43e5f11ce772cfd78c741f8af80a9.exe
Size

907KB
MD5

64d43e5f11ce772cfd78c741f8af80a9
SHA1

30e31334aaa73c6bcbd9386ca92003d9de4ded69
SHA256

6abfe0c4e55faa9c11eed7cdb79c817f2b342523d42d7bb591635edc4bd70d5b
SHA512

0ec4ba9dee9b8b58a6523ecb62940a592594eb87982233c1dba7d01d633d14925a00db0faf1f4a24aabcc920050f376266bf9b0418126421e537f594a19d51fe
SSDEEP

12288:0BvXczsgdJK6u1d97j4ADLpe3OG0bY/aM+hFSfXzaIXknjOrsQkxjVDa/ZS1:0J4dJe1d97j4N3v00/aQnX2OrT6a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1436	64d43e5f11ce772cfd78c741f8af80a9.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	64d43e5f11ce772cfd78c741f8af80a9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	64d43e5f11ce772cfd78c741f8af80a9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3012	64d43e5f11ce772cfd78c741f8af80a9.exe
1436	64d43e5f11ce772cfd78c741f8af80a9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1436	3012	64d43e5f11ce772cfd78c741f8af80a9.exe	89
PID 3012 wrote to memory of 1436	3012	64d43e5f11ce772cfd78c741f8af80a9.exe	89
PID 3012 wrote to memory of 1436	3012	64d43e5f11ce772cfd78c741f8af80a9.exe	89

C:\Users\Admin\AppData\Local\Temp\64d43e5f11ce772cfd78c741f8af80a9.exe
"C:\Users\Admin\AppData\Local\Temp\64d43e5f11ce772cfd78c741f8af80a9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\64d43e5f11ce772cfd78c741f8af80a9.exe
  C:\Users\Admin\AppData\Local\Temp\64d43e5f11ce772cfd78c741f8af80a9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64d43e5f11ce772cfd78c741f8af80a9.exe

Filesize
907KB

MD5
e95babfa69527fc7e93aa428e081eb99

SHA1
015a4759b3429c0b280ce8931ed4cc025cd92877

SHA256
195ab7ad73b2f59646319a062f554bf5883cca5c9d62c9cf7d7c2de5c4ad5d91

SHA512
e23d2163b33c8620cbf1e02fca427523aea766a3a059ce669a484bd62bb796e021007dfb82204a34ae09f604bb4de1a3a150d50d2860b95f560c13cb62a4b8dd

Download Submit
memory/1436-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1436-15-0x0000000001690000-0x0000000001778000-memory.dmp

Filesize
928KB

Download
memory/1436-20-0x0000000005120000-0x00000000051DB000-memory.dmp

Filesize
748KB

Download
memory/1436-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1436-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-36-0x000000000D860000-0x000000000D8F8000-memory.dmp

Filesize
608KB

Download
memory/3012-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3012-1-0x0000000001670000-0x0000000001758000-memory.dmp

Filesize
928KB

Download
memory/3012-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3012-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download