Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
Resource
win10v2004-20240226-en
General
-
Target
40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
-
Size
2.4MB
-
MD5
8274d564cfe76ee9e82fca4ec5132134
-
SHA1
796d6be60f49fa22944bf5499f3648965e3bf323
-
SHA256
40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb
-
SHA512
27b37f4b321c5704def5a2f8ac54a7375dba07baef6c450cb279a70d0405af14c657e063e97cdcc8ca07f852dc43645cd7225bcb8af0191a628c4b32ee7ac119
-
SSDEEP
49152:mm/cJ/XjKoC3m/g7grNZbNsm+kwjI4TT86lorVlyR0Wx:f+fW32nNZZshK4n86WrWDx
Malware Config
Signatures
-
Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs
resource yara_rule behavioral1/memory/1652-11-0x0000000000400000-0x00000000004A3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL behavioral1/memory/1652-39-0x000000000D860000-0x000000000D903000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Deletes itself 1 IoCs
pid Process 1652 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Executes dropped EXE 1 IoCs
pid Process 1652 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Loads dropped DLL 1 IoCs
pid Process 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 pastebin.com 4 pastebin.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1652 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1652 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1152 wrote to memory of 1652 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe 29 PID 1152 wrote to memory of 1652 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe 29 PID 1152 wrote to memory of 1652 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe 29 PID 1152 wrote to memory of 1652 1152 40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe"C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exeC:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
Filesize2.4MB
MD560a73c6435577b117ee2b88036ee43c6
SHA1ed122928713b0f9de9a50bd63c2e0ed661daf28a
SHA256b7eb13f8306869958a82fc2628bde0d1432c8de37b62a7df9046ba0f11465d70
SHA51246d79cbc7afd4c037d11684d21731d5c86eb1d864e1e5f1f6cafc9df3d6b730b54ddc8432d88f16569b548764236d283fbf55701341e2dac53ccdee5f27817c4