c51a8d7b7d05d0cf7344f2eb023c79686baff0dd0adbeb6469f123aeef6d3487

Analysis

max time kernel
151s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40f5870f8850b4b3133412b6c942fab4.exe
Size

907KB
MD5

40f5870f8850b4b3133412b6c942fab4
SHA1

ed9848f1c2cd47e40940ca63e24dded074d902aa
SHA256

c51a8d7b7d05d0cf7344f2eb023c79686baff0dd0adbeb6469f123aeef6d3487
SHA512

d4f1f26dace67cf48d49f8d6a3de7ddf84f863c48a36b2c12488a5bd41f0c334b2d65e12b208d7975a6ea4fefa5a9f8152379ebd6386528ad0bbab4b66aedb38
SSDEEP

12288:4Dvq3qIwR9QhiTUblZRHgFvbrGFuea9UpHQU4PISyjVDa/ZS1:4Di3qlfQhiIblHeou1KV6PIDa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3780	40f5870f8850b4b3133412b6c942fab4.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	40f5870f8850b4b3133412b6c942fab4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
412	40f5870f8850b4b3133412b6c942fab4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
412	40f5870f8850b4b3133412b6c942fab4.exe
3780	40f5870f8850b4b3133412b6c942fab4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3780	412	40f5870f8850b4b3133412b6c942fab4.exe	93
PID 412 wrote to memory of 3780	412	40f5870f8850b4b3133412b6c942fab4.exe	93
PID 412 wrote to memory of 3780	412	40f5870f8850b4b3133412b6c942fab4.exe	93

C:\Users\Admin\AppData\Local\Temp\40f5870f8850b4b3133412b6c942fab4.exe
"C:\Users\Admin\AppData\Local\Temp\40f5870f8850b4b3133412b6c942fab4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\40f5870f8850b4b3133412b6c942fab4.exe
  C:\Users\Admin\AppData\Local\Temp\40f5870f8850b4b3133412b6c942fab4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40f5870f8850b4b3133412b6c942fab4.exe

Filesize
907KB

MD5
343063a1158bfffb3e46cdce29d00ed3

SHA1
8ffb4db0b9d578cd6bc9b2980084aa9f9b663f35

SHA256
5dbe21bbd57cd65fded479df9f1e595019300f4f5951291d38ac1123c87fdafd

SHA512
0300fa518199f4ffd02c8bbaae43a1494e674ad8bac37722b1866ae2c7ed91eb6f3b05dc36bf3a0921181d46b7b841b2fb107874c4a3a4811a3da58984bb3584

Download Submit
memory/412-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/412-1-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/412-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/412-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3780-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3780-16-0x0000000001750000-0x0000000001838000-memory.dmp

Filesize
928KB

Download
memory/3780-20-0x00000000050E0000-0x000000000519B000-memory.dmp

Filesize
748KB

Download
memory/3780-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3780-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-35-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download