8efb9462b6e24b09768e23bad7caa4abc7ad3de77c2c3c7a38ce13cfe27a1c2d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7849fb21dc7e3553afd01b64fb4b57ab.exe
Size

907KB
MD5

7849fb21dc7e3553afd01b64fb4b57ab
SHA1

a262bab0fc8d3dc2e0ce6930e697caf926cd6b4d
SHA256

8efb9462b6e24b09768e23bad7caa4abc7ad3de77c2c3c7a38ce13cfe27a1c2d
SHA512

cd49e93e9b22a4d2fb0d2db4df5716ae6ac54c6b2d41f34b387a616714573ff4b5781e2499db10b1e12acc8d09653698c0a85c1acb2c3236376d77504db752d9
SSDEEP

24576:zJsnf+9+FB3fe2t/1d0dfE9ToYXfEOGa/ZS1:zsM4B39Eq7XsgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4240	7849fb21dc7e3553afd01b64fb4b57ab.exe

Executes dropped EXE 1 IoCs

pid	Process
4240	7849fb21dc7e3553afd01b64fb4b57ab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3356	7849fb21dc7e3553afd01b64fb4b57ab.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3356	7849fb21dc7e3553afd01b64fb4b57ab.exe
4240	7849fb21dc7e3553afd01b64fb4b57ab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4240	3356	7849fb21dc7e3553afd01b64fb4b57ab.exe	23
PID 3356 wrote to memory of 4240	3356	7849fb21dc7e3553afd01b64fb4b57ab.exe	23
PID 3356 wrote to memory of 4240	3356	7849fb21dc7e3553afd01b64fb4b57ab.exe	23

C:\Users\Admin\AppData\Local\Temp\7849fb21dc7e3553afd01b64fb4b57ab.exe
"C:\Users\Admin\AppData\Local\Temp\7849fb21dc7e3553afd01b64fb4b57ab.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\7849fb21dc7e3553afd01b64fb4b57ab.exe
  C:\Users\Admin\AppData\Local\Temp\7849fb21dc7e3553afd01b64fb4b57ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7849fb21dc7e3553afd01b64fb4b57ab.exe

Filesize
124KB

MD5
2f0fdb0ef3bf7b1857131fbd57288b5e

SHA1
a5c9358a311e1c3529a9c9a98bbffbfe5081534a

SHA256
2d46bb412e1cac3812426e94fe8bd8c347993a08ab9aa074b4d0e951f8e366a5

SHA512
03212fa091969e8e058e34d4662709e35ef35b299b56e6a1cbcc2dc99a2ca4fa6e88a84e47958b5e460611f5fdaecb0a889f7f022b927f7e52a4178e66eeafd5

Download Submit
memory/3356-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3356-1-0x00000000017B0000-0x0000000001898000-memory.dmp

Filesize
928KB

Download
memory/3356-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3356-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4240-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4240-14-0x00000000016D0000-0x00000000017B8000-memory.dmp

Filesize
928KB

Download
memory/4240-21-0x0000000005190000-0x000000000524B000-memory.dmp

Filesize
748KB

Download
memory/4240-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4240-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download