c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
Size

686KB
MD5

44adb05457d354014bd7b663c4768892
SHA1

f3a5cbd19cae38d03ce9792ec7770ca00639e812
SHA256

c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace
SHA512

6f870752d03c2f9083f46013ac3d057debc45d36f0d880ec12725d53f5f19bea964ced664f477aedbb2c79e881a47158e4dd07884ccc52e330c42cdb663b8505
SSDEEP

12288:WDIl5j/JEDC4z1EzPwSE5y4jE5O6txIwyiHzrEDS0:WDIl5AC1zYSE5yhjGniH3E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	extracted_payload.exe

Loads dropped DLL 3 IoCs

pid	Process
1128	c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
1128	c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
2172	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3048	1128	c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe	30
PID 1128 wrote to memory of 3048	1128	c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe	30
PID 1128 wrote to memory of 3048	1128	c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe	30

C:\Users\Admin\AppData\Local\Temp\c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
"C:\Users\Admin\AppData\Local\Temp\c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe
  "C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe"
  2⤵
  - Executes dropped EXE
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\extracted_payload.exe

Filesize
204KB

MD5
d45f2292784bc9e8a19d093e9950673f

SHA1
7c4e46b465680ef32ff55fc17916a5f4f6f9dbd5

SHA256
a2763124af5630502ace78bd406f0ff15ba6701b29fe38a6a3d60c1e65e9ce73

SHA512
a14cbac8377689b06c126c3ee71cc79c8b06e1650ecf0d29c7963425d1842dafb0fd6e1a66df1411cec487f6dcc5b696ee3d7a3f623773be61fd0b7a96646989

Download Submit