Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
Resource
win10v2004-20231215-en
General
-
Target
7f4fc1d5a6c57db4a63e7f45f1612f8c.exe
-
Size
907KB
-
MD5
7f4fc1d5a6c57db4a63e7f45f1612f8c
-
SHA1
81254ccce5f9d767d04315dcbdda3aff36dac935
-
SHA256
aa1066322da98f5fe1a64b99010935cf42478fa1c2c27d4eef7d5099373c6721
-
SHA512
45731924f3a401dd816bae3dc4367af661d49c0ff164e48a647ede966181f1322ea57e6197a5b22290c4416464d1e8cc406078f95c74edea522b6bd49a48d9b0
-
SSDEEP
24576:Uut9edhaOIfwGE008eQtGnhJnv0+qRa/ZS1:U+odhCYGE00yQnbnbqgS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1380 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe -
Executes dropped EXE 1 IoCs
pid Process 1380 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 8 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3252 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3252 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe 1380 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3252 wrote to memory of 1380 3252 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe 87 PID 3252 wrote to memory of 1380 3252 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe 87 PID 3252 wrote to memory of 1380 3252 7f4fc1d5a6c57db4a63e7f45f1612f8c.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe"C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exeC:\Users\Admin\AppData\Local\Temp\7f4fc1d5a6c57db4a63e7f45f1612f8c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5cbdddab07d790f8483389305506c615e
SHA10a9117fd0a6b63355276b6e3d98d9abd86efd66b
SHA256e1cbc5edce3b18c56765df06648d11f5440a3c4c6de2c8f39bef0caf47c5d626
SHA51253fb4e8b2982896879ca3a840aaeecd928b6188c9919251ae304031c1da7f9209a73e6673761a22f58415413bea865599970cbb436a0a3b57ff749d7e12349b0