de975905bf71ad9298dd1b651e66e44ad866903bfd3e439182ffd8578ba0b71d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd59ffcc1785753a27653cf65764fed.exe
Size

385KB
MD5

6fd59ffcc1785753a27653cf65764fed
SHA1

b1ab0cb82d54d5c5b778eaec2ca7671591de630d
SHA256

de975905bf71ad9298dd1b651e66e44ad866903bfd3e439182ffd8578ba0b71d
SHA512

4e57785514834d2d362d21826b6361add162057c92b310f471430fa9f71a604dc92dfb70a9abf5f9018bf48e87cfc149b6edd253e31a12972db4327f0ea6c893
SSDEEP

6144:Sjb3EsL5CrSy8of9ksT4fsMW3mRK5szmotKHXX77D1w/FXBxpWV8G/LHSG3RzDhE:SnmnHXjD10JBxtGTHR50efEmvN2NcMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4680	6fd59ffcc1785753a27653cf65764fed.exe

Executes dropped EXE 1 IoCs

pid	Process
4680	6fd59ffcc1785753a27653cf65764fed.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4868	6fd59ffcc1785753a27653cf65764fed.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4868	6fd59ffcc1785753a27653cf65764fed.exe
4680	6fd59ffcc1785753a27653cf65764fed.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4680	4868	6fd59ffcc1785753a27653cf65764fed.exe	86
PID 4868 wrote to memory of 4680	4868	6fd59ffcc1785753a27653cf65764fed.exe	86
PID 4868 wrote to memory of 4680	4868	6fd59ffcc1785753a27653cf65764fed.exe	86

C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe
"C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe
  C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe

Filesize
385KB

MD5
776cdfd486aa595698f6f00094ddb5b0

SHA1
953e2d393d9969fd08b17815b0dbaf41b77cf464

SHA256
b247b2151ca6cebda9dc9a9b77d7f11521914dac09a784936eed953d4a6560ad

SHA512
4a304d2430b8ffbc52dc5ffc15fe0291a1b292ef484bd081fe451e3b7e1fbee6e93074d66392a678c3472f7ebfea4214b0a0fcea4e9b5fdc0dc053a557f306d5

Download Submit
memory/4680-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4680-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4680-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4680-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4680-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4680-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4868-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4868-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4868-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4868-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download