3e0565304c1d7e1c8600717fd11c1163b4ab7d301ec049d8d229c087ab5d093f

Analysis

max time kernel
134s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41641f4bb96a9497adf5d09716f77b49.exe
Size

385KB
MD5

41641f4bb96a9497adf5d09716f77b49
SHA1

1e5613d2657991e6821939d68e65bbea16e0dfa5
SHA256

3e0565304c1d7e1c8600717fd11c1163b4ab7d301ec049d8d229c087ab5d093f
SHA512

e9abb8b52f42d3e3d778a5cc45adc205187717051ac8d3a98a499e13a6ddbcff4942eefdb07dd2dbd9b3c5d2980a1f5a9a0c2dad3373a9cf46f5b1aae30cb998
SSDEEP

6144:8M+tr5yvCR+gIyhFsstw1okjvd0Bp/hXuoLuakhN5FdDuDB:wr8vo+gFF+5vd0XVTLuasNpDuDB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4508	41641f4bb96a9497adf5d09716f77b49.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	41641f4bb96a9497adf5d09716f77b49.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3752	41641f4bb96a9497adf5d09716f77b49.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3752	41641f4bb96a9497adf5d09716f77b49.exe
4508	41641f4bb96a9497adf5d09716f77b49.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4508	3752	41641f4bb96a9497adf5d09716f77b49.exe	92
PID 3752 wrote to memory of 4508	3752	41641f4bb96a9497adf5d09716f77b49.exe	92
PID 3752 wrote to memory of 4508	3752	41641f4bb96a9497adf5d09716f77b49.exe	92

C:\Users\Admin\AppData\Local\Temp\41641f4bb96a9497adf5d09716f77b49.exe
"C:\Users\Admin\AppData\Local\Temp\41641f4bb96a9497adf5d09716f77b49.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\41641f4bb96a9497adf5d09716f77b49.exe
  C:\Users\Admin\AppData\Local\Temp\41641f4bb96a9497adf5d09716f77b49.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41641f4bb96a9497adf5d09716f77b49.exe

Filesize
385KB

MD5
21130d09bf4fa986858d8da3a8efa3d7

SHA1
0d875fb7a17f35fee8f3fcdd68477d4edbea3120

SHA256
c7f4bbf310f0f6341ca52c19335e1f39636bd9eb675edbf79cc29d0aca06ae26

SHA512
02fe21514c48b32f263d10f322b028f5f0ff3d1417f84d290489e92c172908bddab442c1200a81ee498ed1db25bd8e65bcbfe3569207c19671c7ef5f36386eda

Download Submit
memory/3752-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3752-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3752-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3752-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4508-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4508-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4508-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/4508-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4508-32-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/4508-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download