18a94429afec71391fb29cd521be06be165f8efdf2e9ead15fa184758d682dca

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

756afa018ab060273c7e10a01b284b8e.exe
Size

385KB
MD5

756afa018ab060273c7e10a01b284b8e
SHA1

9fe886d85e768d76688cf458f0d986e9c8c247f5
SHA256

18a94429afec71391fb29cd521be06be165f8efdf2e9ead15fa184758d682dca
SHA512

e5384063c0a3990d0fffdbb1b965fd5b35ffd55bcc657e912cc46601ab4d15f6547ba9c120e559b926c6ea9da6f12a7a0d839cb863ea8ca32222f88d9510339b
SSDEEP

6144:YAy2Yk3aPgkX28CGdzHyhHII0AzlDi6jWuUZQYAhB:Yx2FY3GwDytII0Az4IpSahB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	756afa018ab060273c7e10a01b284b8e.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	756afa018ab060273c7e10a01b284b8e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3020	756afa018ab060273c7e10a01b284b8e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3020	756afa018ab060273c7e10a01b284b8e.exe
2972	756afa018ab060273c7e10a01b284b8e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2972	3020	756afa018ab060273c7e10a01b284b8e.exe	87
PID 3020 wrote to memory of 2972	3020	756afa018ab060273c7e10a01b284b8e.exe	87
PID 3020 wrote to memory of 2972	3020	756afa018ab060273c7e10a01b284b8e.exe	87

C:\Users\Admin\AppData\Local\Temp\756afa018ab060273c7e10a01b284b8e.exe
"C:\Users\Admin\AppData\Local\Temp\756afa018ab060273c7e10a01b284b8e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\756afa018ab060273c7e10a01b284b8e.exe
  C:\Users\Admin\AppData\Local\Temp\756afa018ab060273c7e10a01b284b8e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\756afa018ab060273c7e10a01b284b8e.exe

Filesize
269KB

MD5
88bf2e58dc404a4607875b9206d03aaf

SHA1
35ad0bec0ad71aa92387825060151887f7f40c78

SHA256
bce24965e9ecd4a45c8ec573057e2d2e8eed1d4bb52464bfb09f0ac54402cb21

SHA512
30e05c9d20d541259bfe2e2097ec1562252c810b4df1c18a926daaf209e7475ff07900c1442c90cf52d2fda1a439b5c8219e9d10e9141f030cfd375e5dd4588b

Download Submit
memory/2972-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2972-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2972-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-20-0x0000000001620000-0x000000000167F000-memory.dmp

Filesize
380KB

Download
memory/2972-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2972-34-0x000000000C660000-0x000000000C69C000-memory.dmp

Filesize
240KB

Download
memory/2972-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3020-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3020-1-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/3020-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3020-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download