30446c619e62b7a5a16bbd3609b0f05acbab53465fa7b8c50028d3e85be15b1c

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85e75c48c211a4a2f20281ab7d3fa874.exe
Size

771KB
MD5

85e75c48c211a4a2f20281ab7d3fa874
SHA1

a2c26b4dc6fd529793aaf79297a247324e16cbc4
SHA256

30446c619e62b7a5a16bbd3609b0f05acbab53465fa7b8c50028d3e85be15b1c
SHA512

13c103cbee2a5c2344ec6ac942492164aa78f3e77a1076e47e85a916417b05798b520bdc4343d0a4007198680315fbdaa063e6d506cd9b544c2be5e9f73668f5
SSDEEP

12288:4AGiXeVtqi7qUGtdwAb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8BpH9PVB:beDq0qURAb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2296	85e75c48c211a4a2f20281ab7d3fa874.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	85e75c48c211a4a2f20281ab7d3fa874.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4432	85e75c48c211a4a2f20281ab7d3fa874.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4432	85e75c48c211a4a2f20281ab7d3fa874.exe
2296	85e75c48c211a4a2f20281ab7d3fa874.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2296	4432	85e75c48c211a4a2f20281ab7d3fa874.exe	83
PID 4432 wrote to memory of 2296	4432	85e75c48c211a4a2f20281ab7d3fa874.exe	83
PID 4432 wrote to memory of 2296	4432	85e75c48c211a4a2f20281ab7d3fa874.exe	83

C:\Users\Admin\AppData\Local\Temp\85e75c48c211a4a2f20281ab7d3fa874.exe
"C:\Users\Admin\AppData\Local\Temp\85e75c48c211a4a2f20281ab7d3fa874.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\85e75c48c211a4a2f20281ab7d3fa874.exe
  C:\Users\Admin\AppData\Local\Temp\85e75c48c211a4a2f20281ab7d3fa874.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85e75c48c211a4a2f20281ab7d3fa874.exe

Filesize
771KB

MD5
53de0290e000d96f1b8bed0bb784bf40

SHA1
45411e9fbbd833f1683dfb580affa1aea43680fb

SHA256
2020a205b1f5235c5f882643c41c7ca3e87053fded036db162840d30555a36a3

SHA512
61d2d676240610511f23ce6a59260aa6e5be0c5ca3a653cc8fc391357a03160890da6e74b7e55fa01ff71d9690c254b9a75ed622a9823adf4078a27c3c0df41e

Download Submit
memory/2296-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-15-0x0000000001660000-0x00000000016C6000-memory.dmp

Filesize
408KB

Download
memory/2296-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/2296-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2296-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2296-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4432-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4432-1-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/4432-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4432-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download