145232f1985f43ad9ddd62f94356021595fe8d11a225a18e980f0e637dfc04cc

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40b7fd74f56258a845275f8e58194e04.exe
Size

385KB
MD5

40b7fd74f56258a845275f8e58194e04
SHA1

6de988cfddea856b0cee77ebb66b10b3ffa8e4e0
SHA256

145232f1985f43ad9ddd62f94356021595fe8d11a225a18e980f0e637dfc04cc
SHA512

6ebdcd8daa82d135fac8890d5177ff3b740d4c1eb1f94d9ed475e6fdb6f07523265d52c72fe691cfcb296cb244cb9cc0315b2f071716665edb09e3266553f85e
SSDEEP

6144:D9HzHmWp7sucnJFRGQydsBvydPRhE5QAN/A/EyBRDJnv/r4RPeof2Dcu0Qd7cgrB:lzHvxcnVkshydPo21RDiR/Q+chrB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5024	40b7fd74f56258a845275f8e58194e04.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	40b7fd74f56258a845275f8e58194e04.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
624	40b7fd74f56258a845275f8e58194e04.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
624	40b7fd74f56258a845275f8e58194e04.exe
5024	40b7fd74f56258a845275f8e58194e04.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 5024	624	40b7fd74f56258a845275f8e58194e04.exe	29
PID 624 wrote to memory of 5024	624	40b7fd74f56258a845275f8e58194e04.exe	29
PID 624 wrote to memory of 5024	624	40b7fd74f56258a845275f8e58194e04.exe	29

C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe
"C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe
  C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe

Filesize
92KB

MD5
a928b3829521987e8609adf59efd1d05

SHA1
305ac50ce0e059b8f7f552ddc152558d29e5c4c2

SHA256
e6d3f9be634988b50a89ed0059bd844e310b618f25731e82169cc7a4cc24c211

SHA512
351760618b52dfbf41f090728c2dd94e9416dabf8d2d206b82a579453f8d465d599ba334645d048c71cf3dd6f02e4a3948ee36808c872768ec80c399f475fa96

Download Submit
memory/624-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/624-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/624-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/624-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5024-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5024-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-20-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/5024-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/5024-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5024-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/5024-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download