Overview

overview

7

Static

static

3

9145a662cd...ff.exe

windows7-x64

7

9145a662cd...ff.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe

  • Size

    1.5MB

  • MD5

    ac27881462e78236a394e70186e17963

  • SHA1

    bdb09935c11d5685c7de01d80e50252508d4c855

  • SHA256

    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff

  • SHA512

    a1afd123dca6a5087952484f3602c694f9f7fe3074120a6cce95f8dcef4ba6cf9d561f3a75a2e6704f11ea163f7b168ffbe5069fdfc34f31e488b5a1a2839629

  • SSDEEP

    24576:glMKg390bwMij7ep/Jxny4AZ+M5w8UEP3lQULa/ZSC77Lv+f6T8AN7a0PRI4ust5:glPBiXenxnypZc0QULgRbP77a4usjFuS

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    "C:\Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
      C:\Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2312

Network

  • flag-us
    DNS
    pastebin.com
    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    GET
    https://pastebin.com/raw/AqndxJKK
    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/AqndxJKK HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 14 Nov 2023 19:06:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 909
    Server: cloudflare
    CF-RAY: 82618803be77b8d9-AMS
  • 104.20.68.143:443
    https://pastebin.com/raw/AqndxJKK
    tls, http
    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    933 B
     4.3kB
     10
    9

    HTTP Request

    GET https://pastebin.com/raw/AqndxJKK

    HTTP Response

    404
  • 8.8.8.8:53
    pastebin.com
    dns
    9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    172.67.34.170
    104.20.67.143

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    Filesize

    1.5MB

    MD5

    a255d18f28a1452d9835cef33c84ca6d

    SHA1

    2888d79dde1a4a3ac24e1d05db192b3be73f5365

    SHA256

    e6d7efa32d2c04a9464b63b803705810f7834a9ecd11eb9aabc23ef3165a91c5

    SHA512

    9e8808e693e97142542c86101ee4576689cee663a6ab6f2b1d48e621bd50ec2d491fef285f3add34900fe01db6757bafdcaedc3de55e8cb1efafeaa64b3763a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab4F2B.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4F5D.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\9145a662cdc0852938e3366cce182a3c5aca4ec219cf4fd639133189e34940ff.exe
    Filesize

    1.5MB

    MD5

    a255d18f28a1452d9835cef33c84ca6d

    SHA1

    2888d79dde1a4a3ac24e1d05db192b3be73f5365

    SHA256

    e6d7efa32d2c04a9464b63b803705810f7834a9ecd11eb9aabc23ef3165a91c5

    SHA512

    9e8808e693e97142542c86101ee4576689cee663a6ab6f2b1d48e621bd50ec2d491fef285f3add34900fe01db6757bafdcaedc3de55e8cb1efafeaa64b3763a1

    Download Submit

  • memory/2252-0-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2252-7-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2312-9-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2312-11-0x0000000002FA0000-0x0000000003084000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2312-10-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2312-64-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2312-66-0x000000000EF90000-0x000000000F033000-memory.dmp

    Filesize

    652KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.