7f4db985fb7c507710c3f027fb62f4f0fcf7f16089af53e2d6118c1960a1e5bc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

440feb17fc2cc307d8708ce6732152a4.exe
Size

385KB
MD5

440feb17fc2cc307d8708ce6732152a4
SHA1

19b5a7881e07475dd7a5024991e5d1d8ac15fe71
SHA256

7f4db985fb7c507710c3f027fb62f4f0fcf7f16089af53e2d6118c1960a1e5bc
SHA512

a5a8abe3830a9261ba9b8aa1eeb6d86a03bb77be00726df653e07e4960492af9a71a2abd1fe0504c261b10aa422a0cab5d73ee920fc8140d5e598b52ebcb6afe
SSDEEP

6144:GXgY/LUEMawhM12KxSdOU5BI+4CbnsUG9XZ9KMhfksii6jWfMaH0O62fxbB:J8QiJ9U5CbCbns51ZMMhX6KfMa9z9B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	440feb17fc2cc307d8708ce6732152a4.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	440feb17fc2cc307d8708ce6732152a4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5048	440feb17fc2cc307d8708ce6732152a4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5048	440feb17fc2cc307d8708ce6732152a4.exe
2264	440feb17fc2cc307d8708ce6732152a4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2264	5048	440feb17fc2cc307d8708ce6732152a4.exe	90
PID 5048 wrote to memory of 2264	5048	440feb17fc2cc307d8708ce6732152a4.exe	90
PID 5048 wrote to memory of 2264	5048	440feb17fc2cc307d8708ce6732152a4.exe	90

C:\Users\Admin\AppData\Local\Temp\440feb17fc2cc307d8708ce6732152a4.exe
"C:\Users\Admin\AppData\Local\Temp\440feb17fc2cc307d8708ce6732152a4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\440feb17fc2cc307d8708ce6732152a4.exe
  C:\Users\Admin\AppData\Local\Temp\440feb17fc2cc307d8708ce6732152a4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\440feb17fc2cc307d8708ce6732152a4.exe

Filesize
385KB

MD5
039b1eb8bb43f43c7b3bb8f17fd2e4a9

SHA1
8cd4a641b7291d585be1083d4bdad99576dcc348

SHA256
eb83bbcc028a3826c14cbc9c030367cbb093c8ec2555567e38ad5b2317340506

SHA512
ac11d9a8eff259b3d777ec0bac5a16578c5014e043b7ef6946a961d8281fa161bb12db50e382a4142b9673580b7eee40c6cec411fdb9f1cfde62632aaf79a0b9

Download Submit
memory/2264-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2264-14-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/2264-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/2264-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2264-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2264-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5048-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5048-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/5048-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5048-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download