dc9047db4ac77278c5ab27eed2ae1af6d5ee33fa64c01f0735ff115a3ba073a1

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6515f591be5a139c7553ddb51cfe39a6.exe
Size

771KB
MD5

6515f591be5a139c7553ddb51cfe39a6
SHA1

be364708363cf6ae6522bd957681b9aadee45932
SHA256

dc9047db4ac77278c5ab27eed2ae1af6d5ee33fa64c01f0735ff115a3ba073a1
SHA512

1611300a168e5172a612ec8a1b829d0a9080d9f782c381c3e0cfa8f4a61f9693252c2470aaa1dad90c0ed74790d422ed85df76e5b9b20b50694a7e8bc3ce66bf
SSDEEP

24576:sKNzLmlDjluUJtG/b10hJaothZ2/T6FBBB:BmlfMj/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4224	6515f591be5a139c7553ddb51cfe39a6.exe

Executes dropped EXE 1 IoCs

pid	Process
4224	6515f591be5a139c7553ddb51cfe39a6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5116	6515f591be5a139c7553ddb51cfe39a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4980	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5116	6515f591be5a139c7553ddb51cfe39a6.exe
4224	6515f591be5a139c7553ddb51cfe39a6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4224	5116	6515f591be5a139c7553ddb51cfe39a6.exe	90
PID 5116 wrote to memory of 4224	5116	6515f591be5a139c7553ddb51cfe39a6.exe	90
PID 5116 wrote to memory of 4224	5116	6515f591be5a139c7553ddb51cfe39a6.exe	90

C:\Users\Admin\AppData\Local\Temp\6515f591be5a139c7553ddb51cfe39a6.exe
"C:\Users\Admin\AppData\Local\Temp\6515f591be5a139c7553ddb51cfe39a6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\6515f591be5a139c7553ddb51cfe39a6.exe
  C:\Users\Admin\AppData\Local\Temp\6515f591be5a139c7553ddb51cfe39a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4224

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6515f591be5a139c7553ddb51cfe39a6.exe

Filesize
771KB

MD5
72ed08859b151d02d8ce5256b22fa662

SHA1
64f6559bc1466bc250d3fa63ad14fd4d3842bbe8

SHA256
894f41b4f5e0269ef503766e2edd5e956f5952ddd4f4c26e265182e2826f3c23

SHA512
fc312bb393c5cd3f542b2ad429a8e2007cdc2f5d6bd46a92fcdad97abaf8e55d80a967abc95dc0cda0b6303585004ec906deb55ef8e4ced2924dab2beb03142b

Download Submit
memory/4224-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-34-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4224-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4224-16-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/4224-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4224-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4224-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4980-71-0x0000021CB9B80000-0x0000021CB9B81000-memory.dmp

Filesize
4KB

Download
memory/4980-39-0x0000021CB1740000-0x0000021CB1750000-memory.dmp

Filesize
64KB

Download
memory/4980-55-0x0000021CB1840000-0x0000021CB1850000-memory.dmp

Filesize
64KB

Download
memory/4980-73-0x0000021CB9BB0000-0x0000021CB9BB1000-memory.dmp

Filesize
4KB

Download
memory/4980-74-0x0000021CB9BB0000-0x0000021CB9BB1000-memory.dmp

Filesize
4KB

Download
memory/4980-75-0x0000021CB9CC0000-0x0000021CB9CC1000-memory.dmp

Filesize
4KB

Download
memory/5116-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5116-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5116-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/5116-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download