3ebe33a72f5f93e9f3cb98c41164f3c3915adda7da334e5e928574dfc0cac5e0

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d4a2556e43eac71a9e7ce1d4a76fe6.exe
Size

385KB
MD5

40d4a2556e43eac71a9e7ce1d4a76fe6
SHA1

77c34ac35884ea9f22b445705a60c4a85fd4f9a6
SHA256

3ebe33a72f5f93e9f3cb98c41164f3c3915adda7da334e5e928574dfc0cac5e0
SHA512

a966be9c26a837e942a1bd134b7dc55c5f06c49127de715f9b00a7a979d523608c4805168be79ec857b84b4f151145891529bd983755a8ff7ce13f3ad48e439f
SSDEEP

12288:S6w+lQKsLKJJAdnDRWoG3SllL7kNCtWTPB:Vw+lQCohG3slLRaB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4992	40d4a2556e43eac71a9e7ce1d4a76fe6.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	40d4a2556e43eac71a9e7ce1d4a76fe6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2664	40d4a2556e43eac71a9e7ce1d4a76fe6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2664	40d4a2556e43eac71a9e7ce1d4a76fe6.exe
4992	40d4a2556e43eac71a9e7ce1d4a76fe6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4992	2664	40d4a2556e43eac71a9e7ce1d4a76fe6.exe	37
PID 2664 wrote to memory of 4992	2664	40d4a2556e43eac71a9e7ce1d4a76fe6.exe	37
PID 2664 wrote to memory of 4992	2664	40d4a2556e43eac71a9e7ce1d4a76fe6.exe	37

C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe
"C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe
  C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe

Filesize
381KB

MD5
cab97f78ff1b7f69a0b4a1feb1edf289

SHA1
9b8ad56f81c8fa2341b6feeb3938a33b24e01f7b

SHA256
7a80e1edbf0e7445e7a548072fa076739e3a1c3fd5d03b813fdf1bbb7d9e5223

SHA512
09ac5901abb12983638378af594b94ae493c7db02b4ea0c1e6cf238ed5263155ca04266ed62c4b6322b27784d4672e939a2fb928ae05c548bd15940c7ed2f0b4

Download Submit
memory/2664-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2664-1-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/2664-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2664-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4992-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4992-16-0x00000000015B0000-0x0000000001616000-memory.dmp

Filesize
408KB

Download
memory/4992-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/4992-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4992-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4992-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download