d14fec933bf976f1cbefcc39e41d148d2f716afab423ae8c77724df793a7d14f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

657d7c1abad5c0557a8d406fa15d1bfb.exe
Size

907KB
MD5

657d7c1abad5c0557a8d406fa15d1bfb
SHA1

37bddd375690d38a7013ccfe40814cd44cdc87fd
SHA256

d14fec933bf976f1cbefcc39e41d148d2f716afab423ae8c77724df793a7d14f
SHA512

94d1893743ba4ea24f40e4e410837004550754b23cb713b1a2a02326ed3a944c8de41e3c59004f55fd2958d2203557ac6a66c46a2a3e380f9f632a0d6547d77e
SSDEEP

12288:6B5cV01G6xGkTDPJBzhSfF+G1lwKI9hzALGnJ8+yKhvm5P6u4jVDa/ZS1:6B5cVH6xBTrzE21A6nJd5hmdUa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
804	657d7c1abad5c0557a8d406fa15d1bfb.exe

Executes dropped EXE 1 IoCs

pid	Process
804	657d7c1abad5c0557a8d406fa15d1bfb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3916	657d7c1abad5c0557a8d406fa15d1bfb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3916	657d7c1abad5c0557a8d406fa15d1bfb.exe
804	657d7c1abad5c0557a8d406fa15d1bfb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 804	3916	657d7c1abad5c0557a8d406fa15d1bfb.exe	42
PID 3916 wrote to memory of 804	3916	657d7c1abad5c0557a8d406fa15d1bfb.exe	42
PID 3916 wrote to memory of 804	3916	657d7c1abad5c0557a8d406fa15d1bfb.exe	42

C:\Users\Admin\AppData\Local\Temp\657d7c1abad5c0557a8d406fa15d1bfb.exe
"C:\Users\Admin\AppData\Local\Temp\657d7c1abad5c0557a8d406fa15d1bfb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\657d7c1abad5c0557a8d406fa15d1bfb.exe
  C:\Users\Admin\AppData\Local\Temp\657d7c1abad5c0557a8d406fa15d1bfb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\657d7c1abad5c0557a8d406fa15d1bfb.exe

Filesize
737KB

MD5
63b9012671e4b9e23ac6fb5ac9214faa

SHA1
87e2f3ff334acb1fba8dde1a27dde8c8da3fdd8f

SHA256
8fa2c7029526183547a797e092069cb56a2a113c326221ded5cc0a19e15360da

SHA512
5b4ed844a088e4560f52be47d680d93d6c60b3c57906125575f5966d8f667ab3a547a3b1ac276b78501170093b2c14a634ea1dc49ba9258a7da60e3bcd9868ad

Download Submit
memory/804-14-0x00000000016E0000-0x00000000017C8000-memory.dmp

Filesize
928KB

Download
memory/804-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/804-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/804-23-0x0000000005080000-0x000000000513B000-memory.dmp

Filesize
748KB

Download
memory/804-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/804-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/3916-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3916-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/3916-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3916-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download