5e6bc3a9d8c7f96fd8d2fa73726d9f6d0a39141d7a3398977c40cb58081f91c2

Analysis

max time kernel
88s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79bac15fd0cb98600ca831073ec46437.exe
Size

771KB
MD5

79bac15fd0cb98600ca831073ec46437
SHA1

7931ce5bc05402e49f9225284490f56fe6f1175e
SHA256

5e6bc3a9d8c7f96fd8d2fa73726d9f6d0a39141d7a3398977c40cb58081f91c2
SHA512

8176e7fee10f20fcf2a646275a4b6cb673cf71ccc47dee2b43faafa34adbe71ddfc25bd2501bcacfbb21a996a588fd98b27f15f61a1ed64d805eb4769d75a98e
SSDEEP

12288:UXrhbAh+QHBtCOCKNJVogekNI0dhm9HoiesJqsERSJZSBlKlAh+Xlb10VHmDXTuT:Ubah+zOBeb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	79bac15fd0cb98600ca831073ec46437.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	79bac15fd0cb98600ca831073ec46437.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3272	79bac15fd0cb98600ca831073ec46437.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3272	79bac15fd0cb98600ca831073ec46437.exe
2752	79bac15fd0cb98600ca831073ec46437.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 2752	3272	79bac15fd0cb98600ca831073ec46437.exe	86
PID 3272 wrote to memory of 2752	3272	79bac15fd0cb98600ca831073ec46437.exe	86
PID 3272 wrote to memory of 2752	3272	79bac15fd0cb98600ca831073ec46437.exe	86

C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe
"C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe
  C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe

Filesize
771KB

MD5
74fe13b62509aef890dbb0fe00c67653

SHA1
e1924b37899f932c627ed675520b71a09b1f3bf1

SHA256
5e597a025b34e58c5f27d0dc55566b7b879a43ab9bd24939eca3f9f6ef00d420

SHA512
95a45e492e6bf782bd32dd9185c23f3243029d77a8d271dfc9313b04040736d4d7a32ade8cc21de8dee7aa3e7b5f5e5428c36b861ab9beaa8c2ab6c9993edbc3

Download Submit
memory/2752-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2752-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/2752-14-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/2752-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2752-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2752-35-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3272-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3272-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3272-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3272-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download