6485ef8255bdf8b9481d755c71521eefd51a361a5fc72108f522a3c39a9c7d3f

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66dafe32ea75568635851d428149f4b8.exe
Size

385KB
MD5

66dafe32ea75568635851d428149f4b8
SHA1

b12882e6cdbbee8b64847797d7a9aecbe109988c
SHA256

6485ef8255bdf8b9481d755c71521eefd51a361a5fc72108f522a3c39a9c7d3f
SHA512

f71433a96d0b1ad24d980dad854fc7ef045b2bcbcc4d52d1b6ddb0de588acb7012ec0f9f6cfcb96e5dd14ab200bb36a75c92bb160f4eb5395bf5a9502db0b61d
SSDEEP

6144:3FzQuCuwHnIlCObBm9fpw3IcwsgWCWACwN2HxqC8waXwCIGy7f3rGu0CB:ih2COdyhczf/BnQyTICB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3724	66dafe32ea75568635851d428149f4b8.exe

Executes dropped EXE 1 IoCs

pid	Process
3724	66dafe32ea75568635851d428149f4b8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	66dafe32ea75568635851d428149f4b8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2280	66dafe32ea75568635851d428149f4b8.exe
3724	66dafe32ea75568635851d428149f4b8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3724	2280	66dafe32ea75568635851d428149f4b8.exe	85
PID 2280 wrote to memory of 3724	2280	66dafe32ea75568635851d428149f4b8.exe	85
PID 2280 wrote to memory of 3724	2280	66dafe32ea75568635851d428149f4b8.exe	85

C:\Users\Admin\AppData\Local\Temp\66dafe32ea75568635851d428149f4b8.exe
"C:\Users\Admin\AppData\Local\Temp\66dafe32ea75568635851d428149f4b8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\66dafe32ea75568635851d428149f4b8.exe
  C:\Users\Admin\AppData\Local\Temp\66dafe32ea75568635851d428149f4b8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66dafe32ea75568635851d428149f4b8.exe

Filesize
385KB

MD5
7334cfae112d11c32163118b56eda601

SHA1
b7ce215f908105289652790efd2e4d926d6412e7

SHA256
b32d46fd59cb55f150c538bb6726cddf5056037ea16052217898eb43dd181801

SHA512
486fb906ea36aa2c2c4001aa2595c468fdbf25759b19eb96fbe79029846a9edc55b8618e68847534f4cf084a52be01a65b62cd9395778b112cf2b7ebe1bd4117

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2280-1-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2280-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2280-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3724-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3724-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3724-20-0x00000000015E0000-0x000000000163F000-memory.dmp

Filesize
380KB

Download
memory/3724-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3724-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3724-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download