80fc2daefbf699eb8389465b1901257f5bb52563514b2b7e53f61d0debb138c1

Analysis

max time kernel
87s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 13:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74c53396d163878d935597e9426ae79a.exe
Size

385KB
MD5

74c53396d163878d935597e9426ae79a
SHA1

f0beebae970f3dc76b30cab9affb7efc1ab24cb4
SHA256

80fc2daefbf699eb8389465b1901257f5bb52563514b2b7e53f61d0debb138c1
SHA512

41b85e91ca4f62e932172ea68230c4db523460cb8b82e941b4b8a47cba7c2b3265b8bd5571a896e0bbc3a4084ac08ac24227370bf6ccef41b9daeffe3a0ae0ad
SSDEEP

6144:2fIWDv/sfP8cmqZ+q+hoON0chpgMEE/P8jYbhPQgVZPLvB:2fIOv/sfP8e+NzPFXdbhPHVZjvB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4640	74c53396d163878d935597e9426ae79a.exe

Executes dropped EXE 1 IoCs

pid	Process
4640	74c53396d163878d935597e9426ae79a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1320	74c53396d163878d935597e9426ae79a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1320	74c53396d163878d935597e9426ae79a.exe
4640	74c53396d163878d935597e9426ae79a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4640	1320	74c53396d163878d935597e9426ae79a.exe	86
PID 1320 wrote to memory of 4640	1320	74c53396d163878d935597e9426ae79a.exe	86
PID 1320 wrote to memory of 4640	1320	74c53396d163878d935597e9426ae79a.exe	86

C:\Users\Admin\AppData\Local\Temp\74c53396d163878d935597e9426ae79a.exe
"C:\Users\Admin\AppData\Local\Temp\74c53396d163878d935597e9426ae79a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\74c53396d163878d935597e9426ae79a.exe
  C:\Users\Admin\AppData\Local\Temp\74c53396d163878d935597e9426ae79a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74c53396d163878d935597e9426ae79a.exe

Filesize
385KB

MD5
8939e7b7bb0652ae89d4da2da38ecb6e

SHA1
1971365cd38e3c8e856b666083a57293f2f0e820

SHA256
465112fa5e3a09257e9a9c73c135d7863b6d8354482bc54ee17b3dba04475e47

SHA512
44b5667a29700f416192a9d83298b5877ab0a09b4eb283ee15b34d91e261b521d8b76228ad2f53120c8137ef044d180391aa2b9c67d9790d87f60704492b44cb

Download Submit
memory/1320-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1320-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1320-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1320-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4640-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4640-15-0x0000000001610000-0x0000000001676000-memory.dmp

Filesize
408KB

Download
memory/4640-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4640-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4640-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4640-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4640-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download