6bc0018e820e26dda5761444d986cd378b85e821f3ef3c16003a87a1581dceca

Analysis

max time kernel
85s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ec2fd57d26c57f00998518b2be50d4.exe
Size

907KB
MD5

65ec2fd57d26c57f00998518b2be50d4
SHA1

d66eb54a0031bdb9fbab4e01926ba7f799913cd6
SHA256

6bc0018e820e26dda5761444d986cd378b85e821f3ef3c16003a87a1581dceca
SHA512

b72f155b8a44d5a602ed77b92213609acba7a5b36d34ae091989592c1b81b1ef9a7ad9e73c0fc1840338dd6617b4aaa96c08aeb320545eba51b2c096764d28c7
SSDEEP

12288:aCG6FygVH63C7bjfqfzB7VVVZYfkRP3YzOy1I+R8SwhjpSttqjIwXjqQSeQjVDaq:a2/2bB7l1cVRjw7StmTqi2a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3592	65ec2fd57d26c57f00998518b2be50d4.exe

Executes dropped EXE 1 IoCs

pid	Process
3592	65ec2fd57d26c57f00998518b2be50d4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2556	65ec2fd57d26c57f00998518b2be50d4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2556	65ec2fd57d26c57f00998518b2be50d4.exe
3592	65ec2fd57d26c57f00998518b2be50d4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3592	2556	65ec2fd57d26c57f00998518b2be50d4.exe	87
PID 2556 wrote to memory of 3592	2556	65ec2fd57d26c57f00998518b2be50d4.exe	87
PID 2556 wrote to memory of 3592	2556	65ec2fd57d26c57f00998518b2be50d4.exe	87

C:\Users\Admin\AppData\Local\Temp\65ec2fd57d26c57f00998518b2be50d4.exe
"C:\Users\Admin\AppData\Local\Temp\65ec2fd57d26c57f00998518b2be50d4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\65ec2fd57d26c57f00998518b2be50d4.exe
  C:\Users\Admin\AppData\Local\Temp\65ec2fd57d26c57f00998518b2be50d4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65ec2fd57d26c57f00998518b2be50d4.exe

Filesize
907KB

MD5
7e87bd26d7859824a73bfc9743547b9b

SHA1
4494b21ed1dbfdfccd64398143de3e9f4ac09c24

SHA256
3c39773bab3016c83d57889b51a6652fa106b296f20c7532356c63293c3ba5eb

SHA512
b24cc089fd640900851365a19e55bdc1524bcb1412c5bf6caa344849580760ff94f243a502d6769d79ac9e4274d96eb2226d4c94a08bbaca24fb700e656ade9c

Download Submit
memory/2556-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2556-1-0x0000000001860000-0x0000000001948000-memory.dmp

Filesize
928KB

Download
memory/2556-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2556-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3592-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3592-15-0x0000000001820000-0x0000000001908000-memory.dmp

Filesize
928KB

Download
memory/3592-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/3592-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3592-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download