aa1066322da98f5fe1a64b99010935cf42478fa1c2c27d4eef7d5099373c6721

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
Size

907KB
MD5

7f4fc1d5a6c57db4a63e7f45f1612f8c
SHA1

81254ccce5f9d767d04315dcbdda3aff36dac935
SHA256

aa1066322da98f5fe1a64b99010935cf42478fa1c2c27d4eef7d5099373c6721
SHA512

45731924f3a401dd816bae3dc4367af661d49c0ff164e48a647ede966181f1322ea57e6197a5b22290c4416464d1e8cc406078f95c74edea522b6bd49a48d9b0
SSDEEP

24576:Uut9edhaOIfwGE008eQtGnhJnv0+qRa/ZS1:U+odhCYGE00yQnbnbqgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1380	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe

Executes dropped EXE 1 IoCs

pid	Process
1380	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3252	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3252	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
1380	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1380	3252	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe	87
PID 3252 wrote to memory of 1380	3252	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe	87
PID 3252 wrote to memory of 1380	3252	7f4fc1d5a6c57db4a63e7f45f1612f8c.exe	87

C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
"C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
  C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe

Filesize
202KB

MD5
cbdddab07d790f8483389305506c615e

SHA1
0a9117fd0a6b63355276b6e3d98d9abd86efd66b

SHA256
e1cbc5edce3b18c56765df06648d11f5440a3c4c6de2c8f39bef0caf47c5d626

SHA512
53fb4e8b2982896879ca3a840aaeecd928b6188c9919251ae304031c1da7f9209a73e6673761a22f58415413bea865599970cbb436a0a3b57ff749d7e12349b0

Download Submit
memory/1380-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1380-15-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/1380-22-0x00000000050C0000-0x000000000517B000-memory.dmp

Filesize
748KB

Download
memory/1380-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1380-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-32-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download
memory/3252-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3252-1-0x0000000001710000-0x00000000017F8000-memory.dmp

Filesize
928KB

Download
memory/3252-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3252-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download