bbbc06fd7a66c14a19d38af04c4d5b068d1b2c8895228a9b1bb5c7bdc4db6be1

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3f7502ef7c32a102b92ed123f8f565.exe
Size

385KB
MD5

7f3f7502ef7c32a102b92ed123f8f565
SHA1

238db619280b9c9a9b1a57a92912e165dc3d3fc6
SHA256

bbbc06fd7a66c14a19d38af04c4d5b068d1b2c8895228a9b1bb5c7bdc4db6be1
SHA512

58ee54e4865b257eb8139ec189eff0e43bbbc9dac65a89bde2b6c5cb1de1f16412209b93e6250cf4f313365b4d14e4a710e832f429d6224c440bbe886b75e62d
SSDEEP

12288:xgaDGzlQj0OOo50W88OWtKMsEEkJ/At1XTfWnUB:uaDmlQoFo2AOWtKMsuAt16UB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2248	7f3f7502ef7c32a102b92ed123f8f565.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	7f3f7502ef7c32a102b92ed123f8f565.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3428	7f3f7502ef7c32a102b92ed123f8f565.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3428	7f3f7502ef7c32a102b92ed123f8f565.exe
2248	7f3f7502ef7c32a102b92ed123f8f565.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2248	3428	7f3f7502ef7c32a102b92ed123f8f565.exe	83
PID 3428 wrote to memory of 2248	3428	7f3f7502ef7c32a102b92ed123f8f565.exe	83
PID 3428 wrote to memory of 2248	3428	7f3f7502ef7c32a102b92ed123f8f565.exe	83

C:\Users\Admin\AppData\Local\Temp\7f3f7502ef7c32a102b92ed123f8f565.exe
"C:\Users\Admin\AppData\Local\Temp\7f3f7502ef7c32a102b92ed123f8f565.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\7f3f7502ef7c32a102b92ed123f8f565.exe
  C:\Users\Admin\AppData\Local\Temp\7f3f7502ef7c32a102b92ed123f8f565.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f3f7502ef7c32a102b92ed123f8f565.exe

Filesize
385KB

MD5
cd04029d3c121796cc5d28b378743e6b

SHA1
aabecffb931246013492977850565d573713ed4c

SHA256
4db0bf7f91b13d8333de105901fed890209bb2bbaf30bee6482edf97db13d6f5

SHA512
355bd13698c180da8498f3d24b70a0564bf24826bebaabcab8f28ae72db0419a5a68032b237b0c0702c89e1653d5c7aa3a74106040834e7c3bfe033db603d268

Download Submit
memory/2248-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2248-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2248-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/2248-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2248-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2248-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3428-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3428-1-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/3428-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3428-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download