58612093b919f0537a69912c4d70e519d3a798d2047a2d262295f50c7fa332a4

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f5d3f5275f2ce6668934c387a0f7c5.exe
Size

385KB
MD5

72f5d3f5275f2ce6668934c387a0f7c5
SHA1

090688a6983851d03c8acd11f0ab71eb511ecc4c
SHA256

58612093b919f0537a69912c4d70e519d3a798d2047a2d262295f50c7fa332a4
SHA512

2ce0ecc3ce14f32dedea38cb7aad61c64528e9bee07fa45234ab116036865a796c70ea941a71ad232b626daa321b61734de14fb33f582cd34999617708588094
SSDEEP

12288:2Rlo0SmioKflnh+iuaoO9fq/ipKpACa3/KB:2bEoil3oQoouACaSB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1000	72f5d3f5275f2ce6668934c387a0f7c5.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	72f5d3f5275f2ce6668934c387a0f7c5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1984	72f5d3f5275f2ce6668934c387a0f7c5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1984	72f5d3f5275f2ce6668934c387a0f7c5.exe
1000	72f5d3f5275f2ce6668934c387a0f7c5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1000	1984	72f5d3f5275f2ce6668934c387a0f7c5.exe	86
PID 1984 wrote to memory of 1000	1984	72f5d3f5275f2ce6668934c387a0f7c5.exe	86
PID 1984 wrote to memory of 1000	1984	72f5d3f5275f2ce6668934c387a0f7c5.exe	86

C:\Users\Admin\AppData\Local\Temp\72f5d3f5275f2ce6668934c387a0f7c5.exe
"C:\Users\Admin\AppData\Local\Temp\72f5d3f5275f2ce6668934c387a0f7c5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\72f5d3f5275f2ce6668934c387a0f7c5.exe
  C:\Users\Admin\AppData\Local\Temp\72f5d3f5275f2ce6668934c387a0f7c5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72f5d3f5275f2ce6668934c387a0f7c5.exe

Filesize
385KB

MD5
a3800912da1df6b49d81d02521153add

SHA1
cff597bebe1a4f67cf83cba146102b0c2cdb0d0b

SHA256
26e57066d79abef6db1166f8ef593c67f3a8d7a4412b3cf4e71e49cfe1778799

SHA512
b51fc216de0a408437b4718476cc18ee3f4e9b25062fec3abddcd35c41e864f0069a91f0d8e2f7d701dbf510a219cfe7bdddc65babd7f640bf586623e961fbd6

Download Submit
memory/1000-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1000-16-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/1000-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-20-0x0000000004EF0000-0x0000000004F4F000-memory.dmp

Filesize
380KB

Download
memory/1000-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1000-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1000-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1984-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1984-1-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/1984-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1984-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download