a5259cd6bdec5567ffdc4f1b7e8ef5b6764ee9ebb69cca23d0b91530b5dd5dc7

Analysis

max time kernel
88s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3a7017efd5ad34d2eae6c785805eb8.exe
Size

385KB
MD5

7d3a7017efd5ad34d2eae6c785805eb8
SHA1

bd5f82f81e3e33df79c398562c337e6428511d21
SHA256

a5259cd6bdec5567ffdc4f1b7e8ef5b6764ee9ebb69cca23d0b91530b5dd5dc7
SHA512

3691fbbb54de3d852f7b9feb59e178bef0ed723457c85282b7b103e686660bf1c175dd531fbcca90d23d4d1d0f45d75c4037e0218d55318c5ff9a00c72642cc0
SSDEEP

12288:2WJDRVrmRRiNIvKWGDFyk6FtztrTIqdQtXNi/ETueB:ZDvqKGqQk6FLrEqdQt9i/GueB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4548	7d3a7017efd5ad34d2eae6c785805eb8.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	7d3a7017efd5ad34d2eae6c785805eb8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1464	7d3a7017efd5ad34d2eae6c785805eb8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1464	7d3a7017efd5ad34d2eae6c785805eb8.exe
4548	7d3a7017efd5ad34d2eae6c785805eb8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4548	1464	7d3a7017efd5ad34d2eae6c785805eb8.exe	84
PID 1464 wrote to memory of 4548	1464	7d3a7017efd5ad34d2eae6c785805eb8.exe	84
PID 1464 wrote to memory of 4548	1464	7d3a7017efd5ad34d2eae6c785805eb8.exe	84

C:\Users\Admin\AppData\Local\Temp\7d3a7017efd5ad34d2eae6c785805eb8.exe
"C:\Users\Admin\AppData\Local\Temp\7d3a7017efd5ad34d2eae6c785805eb8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\7d3a7017efd5ad34d2eae6c785805eb8.exe
  C:\Users\Admin\AppData\Local\Temp\7d3a7017efd5ad34d2eae6c785805eb8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d3a7017efd5ad34d2eae6c785805eb8.exe

Filesize
385KB

MD5
8256185abc5d399d9e1e0b09856d2a55

SHA1
da00834784855495762989f53fafe380a96bbe7f

SHA256
546eea3435b1edc9893f1d1eb48c50695170b1a29faeded1ffe2171efc034058

SHA512
039e4b154a342a6cad758e52a2aecaf7af2d2274b4f6eaaac9c5e9e4478ec329636b4d97d9f73001d37f5799726a353dd48cb79b9349979cc2e486a82845d1c4

Download Submit
memory/1464-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1464-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1464-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1464-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4548-16-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4548-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4548-26-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/4548-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4548-35-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4548-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download