3df11e6ec7c54958349f1e8d1991fc7b626482969c6dd1e623dc7b56e98d5fb3

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

655a693b4069069e32e2fa37c662aeb1.exe
Size

385KB
MD5

655a693b4069069e32e2fa37c662aeb1
SHA1

2645aad1a61fd391592684bccafbb701ea912a11
SHA256

3df11e6ec7c54958349f1e8d1991fc7b626482969c6dd1e623dc7b56e98d5fb3
SHA512

30ab6807a18421ee4f0ed158ccd16ec12f9eb75bed9550948fbbb72ce1ad608ce454993a1a71e2ac93fecfb4f8a0cad7d243fa47b7b88c9b5dde544ef6944612
SSDEEP

6144:fwEn8r51uEmZ5WXt9qlIXyaWLNg57v2mTWUkWormmM4CiQnUONPjHM88EY2Z6YkR:1nC51vtjHBWUkW4mQusfYbkjznB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2312	655a693b4069069e32e2fa37c662aeb1.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	655a693b4069069e32e2fa37c662aeb1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4172	655a693b4069069e32e2fa37c662aeb1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3120	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4172	655a693b4069069e32e2fa37c662aeb1.exe
2312	655a693b4069069e32e2fa37c662aeb1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2312	4172	655a693b4069069e32e2fa37c662aeb1.exe	88
PID 4172 wrote to memory of 2312	4172	655a693b4069069e32e2fa37c662aeb1.exe	88
PID 4172 wrote to memory of 2312	4172	655a693b4069069e32e2fa37c662aeb1.exe	88

C:\Users\Admin\AppData\Local\Temp\655a693b4069069e32e2fa37c662aeb1.exe
"C:\Users\Admin\AppData\Local\Temp\655a693b4069069e32e2fa37c662aeb1.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\655a693b4069069e32e2fa37c662aeb1.exe
  C:\Users\Admin\AppData\Local\Temp\655a693b4069069e32e2fa37c662aeb1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2312

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\655a693b4069069e32e2fa37c662aeb1.exe

Filesize
385KB

MD5
215662949bc0e0de0968e309d6ceebd1

SHA1
43d947cb451a7794e7eadd7d82fbe9c46868505d

SHA256
610aef0d766ffcbd4691178d5dd932161eb5a616a499cf528ab89de581bc9f92

SHA512
ac4b0473fb7ecacc73667b1cdb6a05805d523f2ae08b5372fc93e7f90f877bdccb750233239e768857f761f70776b5db23a118f53cacee534d81914a711a35fd

Download Submit
memory/2312-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/2312-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2312-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2312-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2312-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2312-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2312-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3120-37-0x0000012E7AA50000-0x0000012E7AA60000-memory.dmp

Filesize
64KB

Download
memory/3120-53-0x0000012E7AB50000-0x0000012E7AB60000-memory.dmp

Filesize
64KB

Download
memory/3120-69-0x0000012E7EEC0000-0x0000012E7EEC1000-memory.dmp

Filesize
4KB

Download
memory/3120-71-0x0000012E7EEF0000-0x0000012E7EEF1000-memory.dmp

Filesize
4KB

Download
memory/3120-72-0x0000012E7EEF0000-0x0000012E7EEF1000-memory.dmp

Filesize
4KB

Download
memory/3120-73-0x0000012E7F000000-0x0000012E7F001000-memory.dmp

Filesize
4KB

Download
memory/4172-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4172-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4172-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4172-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download