7cbae27236ed1d9ab9bd4125ce469ffc36e8f462dd0f52e6135d9784f4922554

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe
Size

385KB
MD5

7ea4dac4bbdbba6b1a5f3c71dc565a1d
SHA1

338f23abe67944da5c35fe457a3d5bddb77e8116
SHA256

7cbae27236ed1d9ab9bd4125ce469ffc36e8f462dd0f52e6135d9784f4922554
SHA512

9a9799c3022e4d5dd2f31d2d6b985f71b1ccd39360365ecd7d6702a9150b7ab00c82e907040d3948cc322e242a7599dabe622df9416e0f08efc4b2567211cd92
SSDEEP

12288:GcP8Pk3tCNkBkPI8osjpBW7kP3N+97ZKuCvnvHof0rPdOt1nltqyxmZkkp7NcmHw:G28Pk3tCCBkQ8osFB2kP3N+97EuCvnvc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3596	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe

Executes dropped EXE 1 IoCs

pid	Process
3596	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3688	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3688	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe
3596	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3596	3688	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe	87
PID 3688 wrote to memory of 3596	3688	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe	87
PID 3688 wrote to memory of 3596	3688	7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe	87

C:\Users\Admin\AppData\Local\Temp\7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe
"C:\Users\Admin\AppData\Local\Temp\7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe
  C:\Users\Admin\AppData\Local\Temp\7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ea4dac4bbdbba6b1a5f3c71dc565a1d.exe

Filesize
385KB

MD5
f52e8ff1ef42fd812a95fe3d3321d674

SHA1
491443c4c81adad6c545937c2cc0f6d48793abcd

SHA256
c4cdb2cd3a09090238354ed258d5bda6b05b6bb5e6b000d17ee1cd9c787f5644

SHA512
d3efdf6f8e25e98169b3d9503e9b53ed7d68ea8fa499b1cc730011728ed1f4afebbc0e3ce03baa6197d12c0b5920671f54689387fadad3eb332454fcafecb706

Download Submit
memory/3596-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3596-16-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/3596-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/3596-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3596-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3596-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3688-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3688-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3688-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3688-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download