cbcb54a5038720bfef2b6d31f910ab5d79ba871ba3fb5fa86d6f25def1ea9354

General

Target

40a6754ab06d1512f9ec39c1a05da2ba.exe
Size

4.2MB
MD5

40a6754ab06d1512f9ec39c1a05da2ba
SHA1

46bd3a361f6a0790e94f12256d482eca5c8d258c
SHA256

cbcb54a5038720bfef2b6d31f910ab5d79ba871ba3fb5fa86d6f25def1ea9354
SHA512

a5e6b4037e2ac2b89032af56cfa7f875ca364b4d7645708ee3c26dff6e9a41a07bbaf126df6451b2fa28d32169b253af747c60c1ddc4a1115935c162a5c0556e
SSDEEP

98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4ulud:ovsJR0TW6yiIKRhzqOsd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	4M3FZ.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	4M3FZ.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	40a6754ab06d1512f9ec39c1a05da2ba.exe
2024	4M3FZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	40a6754ab06d1512f9ec39c1a05da2ba.exe
Token: 0	2004	40a6754ab06d1512f9ec39c1a05da2ba.exe
Token: SeDebugPrivilege	2024	4M3FZ.exe
Token: 0	2024	4M3FZ.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2024	2004	40a6754ab06d1512f9ec39c1a05da2ba.exe	28
PID 2004 wrote to memory of 2024	2004	40a6754ab06d1512f9ec39c1a05da2ba.exe	28
PID 2004 wrote to memory of 2024	2004	40a6754ab06d1512f9ec39c1a05da2ba.exe	28
PID 2024 wrote to memory of 2740	2024	4M3FZ.exe	29
PID 2024 wrote to memory of 2740	2024	4M3FZ.exe	29
PID 2024 wrote to memory of 2740	2024	4M3FZ.exe	29

C:\Users\Admin\AppData\Local\Temp\40a6754ab06d1512f9ec39c1a05da2ba.exe
"C:\Users\Admin\AppData\Local\Temp\40a6754ab06d1512f9ec39c1a05da2ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\4M3FZ.exe
  "C:\Users\Admin\AppData\Local\Temp\4M3FZ.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\40a6754ab06d1512f9ec39c1a05da2ba.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2024 -s 940
    3⤵
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4M3FZ.exe

Filesize
160KB

MD5
0231c0f6c855cd9f2d4c850255a8362a

SHA1
abce55b19eeda5ae7720f9776fa76217ea5cd501

SHA256
a999ce0c131aa3a51ac00d2d880bcdfe7a3938f98ba87db80e38c36ca63f19d9

SHA512
68cc7b60def91dfd0e21a4f5d939d6ec46e55d6ec2815353ec874b900410e749c277964aa8519f8211a64a48b7f567fe79b00f9295c18576147b6207ab4dcc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\4M3FZ.exe

Filesize
239KB

MD5
efd8804e23080bc48417cb76cbdb6f4e

SHA1
3537fd64dcc2d69fec7f41eeb3135f9c3cae8c2c

SHA256
5327d1af75118856937a6a1fe69a3c1b81ed5d1a6deba3d156a4e9a570fb4fa4

SHA512
401d0dfb9fd72437683a6f5cc132179689df8378f69972ae37815d5e5827411ac0f6138d2923fa754e1e253f48fda46dc092dce26cd8ee23fff5a191cc3c6b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
172KB

MD5
989810b306886b036f6725bc3f54a42a

SHA1
fc1783ebb818b42c136e62cb743daf0dbe41daf5

SHA256
0fbb1d70ed267cd1f15d0762603cdbbd37d785b9398a794b3c40809a62d0bede

SHA512
44e9ee1ffc7e40fef3671f0492fbbe8cfa70a0d1077e0eb262379cd2d9c11d97db5f23cf607d6d1689ad66634ba400bba2b07648c5516438ac5cd6bff102873c

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
134KB

MD5
afdb77ee17491595174ddb6ca9416139

SHA1
7db9fe57eb7e0a959321a9b2599601266f87c6f7

SHA256
312710ed39e4e5189755c056803ee5a13cdc27f3f7d37c946b4acdc990095db7

SHA512
6f56ae794726e84530e5f46905d616f2d9741e9853856f03b420b8b919e14f90a6fd9772add4e30cefead1817af839b3592ab86c0dc62497c4fd23c5a86ea80d

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
17KB

MD5
b1443d26478ffdffee69eb7c0eb09245

SHA1
f9deb25b7db849ead6423d1e744a867c74c580b5

SHA256
6e7bb0bcbdcc4ddfe64656ed38896e1a3b4b3d35047d38278f75eb00f315c027

SHA512
ed62fe95af6ec7540854cd22dd89fc7e753a5ae86c58871eeb82ac95b1cd1fb8703684589717bfa32993b2791eeab4bb671c4926b0d45738ee12e5ac462826bb

Download Submit
memory/2004-1-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-0-0x00000000008F0000-0x0000000000D26000-memory.dmp

Filesize
4.2MB

Download
memory/2004-10-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/2004-11-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/2004-2-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/2004-6-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/2004-3-0x000000001B050000-0x000000001B130000-memory.dmp

Filesize
896KB

Download
memory/2004-25-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-4-0x0000000000820000-0x0000000000862000-memory.dmp

Filesize
264KB

Download
memory/2004-5-0x000000001C800000-0x000000001C954000-memory.dmp

Filesize
1.3MB

Download
memory/2024-26-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-29-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-32-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-33-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-24-0x0000000000D90000-0x00000000011C6000-memory.dmp

Filesize
4.2MB

Download
memory/2024-28-0x0000000000510000-0x0000000000552000-memory.dmp

Filesize
264KB

Download
memory/2024-27-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-35-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-36-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-37-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-38-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2024-39-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing