b338c35b92d9fba52bbf4d284a0cbbe06918bcc80eae7b439a61cd93d034746e

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c8aa0633f9ac29979914fb4297a574.exe
Size

907KB
MD5

66c8aa0633f9ac29979914fb4297a574
SHA1

3048e906d2c929e38fd5ca389bc4b69333b88513
SHA256

b338c35b92d9fba52bbf4d284a0cbbe06918bcc80eae7b439a61cd93d034746e
SHA512

9aa39ff8e0fbc00aa155a316c43215097a3127e85648186bda7eb994dba4e09328f756f1b0626624d45d1b3f0780bfca300b58899d1d509cc636442501d80a03
SSDEEP

24576:Js9cAOim8LXCG1L4zNt/D+clgxmDr8a/ZS1:Js9ccm8LS8Yb/jmEX8gS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3580	66c8aa0633f9ac29979914fb4297a574.exe

Executes dropped EXE 1 IoCs

pid	Process
3580	66c8aa0633f9ac29979914fb4297a574.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2700	66c8aa0633f9ac29979914fb4297a574.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2700	66c8aa0633f9ac29979914fb4297a574.exe
3580	66c8aa0633f9ac29979914fb4297a574.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3580	2700	66c8aa0633f9ac29979914fb4297a574.exe	89
PID 2700 wrote to memory of 3580	2700	66c8aa0633f9ac29979914fb4297a574.exe	89
PID 2700 wrote to memory of 3580	2700	66c8aa0633f9ac29979914fb4297a574.exe	89

C:\Users\Admin\AppData\Local\Temp\66c8aa0633f9ac29979914fb4297a574.exe
"C:\Users\Admin\AppData\Local\Temp\66c8aa0633f9ac29979914fb4297a574.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\66c8aa0633f9ac29979914fb4297a574.exe
  C:\Users\Admin\AppData\Local\Temp\66c8aa0633f9ac29979914fb4297a574.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66c8aa0633f9ac29979914fb4297a574.exe

Filesize
458KB

MD5
5fcc88defa93fb6393b778f54e59eb6d

SHA1
157686fcb28db6d22f7efdf55fc1c9132f17f86e

SHA256
f9d8ca48a1719d70164c5f50cbd38fc4756b3b3fc154b9a8422a85be126bbf80

SHA512
8b5ec12af9c37d7040272d301e20507ec26cd2c3df4419e013b2356b652135c216ef89c2466f21f3f2a52ce6288c97a71912dd23c8170241f0f332c5ced2e87b

Download Submit
memory/2700-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2700-1-0x0000000001700000-0x00000000017E8000-memory.dmp

Filesize
928KB

Download
memory/2700-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2700-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3580-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3580-15-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/3580-20-0x00000000050F0000-0x00000000051AB000-memory.dmp

Filesize
748KB

Download
memory/3580-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3580-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-32-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download