13f92635397374870114560544652af822d23f0c0b4ebb90348baca84729ced7

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 16:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

658e74674ed0771dac54cc761d6844f6.exe
Size

1.5MB
MD5

658e74674ed0771dac54cc761d6844f6
SHA1

e297fa3a46583af899dd1b0ef34d9090b653e8b8
SHA256

13f92635397374870114560544652af822d23f0c0b4ebb90348baca84729ced7
SHA512

3a631d451ffe4d35fa0c97bb1c566c012bb0a0f60ecffab3121cca58a68bfbd7e3b28d76acab266c17e9d041d7aedc6a2fdbde433624f0cae569389bc3c1cb4c
SSDEEP

24576:sITzXcndcq/5RJhb10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FP:sAcX/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3744	658e74674ed0771dac54cc761d6844f6.exe

Executes dropped EXE 1 IoCs

pid	Process
3744	658e74674ed0771dac54cc761d6844f6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	658e74674ed0771dac54cc761d6844f6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4964	658e74674ed0771dac54cc761d6844f6.exe
3744	658e74674ed0771dac54cc761d6844f6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3744	4964	658e74674ed0771dac54cc761d6844f6.exe	87
PID 4964 wrote to memory of 3744	4964	658e74674ed0771dac54cc761d6844f6.exe	87
PID 4964 wrote to memory of 3744	4964	658e74674ed0771dac54cc761d6844f6.exe	87

C:\Users\Admin\AppData\Local\Temp\658e74674ed0771dac54cc761d6844f6.exe
"C:\Users\Admin\AppData\Local\Temp\658e74674ed0771dac54cc761d6844f6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\658e74674ed0771dac54cc761d6844f6.exe
  C:\Users\Admin\AppData\Local\Temp\658e74674ed0771dac54cc761d6844f6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\658e74674ed0771dac54cc761d6844f6.exe

Filesize
1.5MB

MD5
1fe7fc0a084efb3bf48cf5ed9b9b5082

SHA1
8d138c0d34867b09d26cffc2686427f52781256c

SHA256
f8afc83b978340ae5cdc8618b275763dd3afa6ba47c03d2d5fcbfa52505d48bd

SHA512
232863614075debf0fde8d1f78d99c12648f42a65600219c2482576fa9e062beec51c8414638343734356e5a294986ef5829673cdd696aa746c6ba5ebb745937

Download Submit
memory/3744-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3744-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3744-21-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3744-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3744-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3744-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4964-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4964-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4964-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4964-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download