c73d76731831d1c0eae3f7dcf83548e4536daa46f83b232c0e4c69791ba8324c

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8624bb62621e239b597ebd519ab37f26.exe
Size

385KB
MD5

8624bb62621e239b597ebd519ab37f26
SHA1

dc3ed9b7e59cb6d3dc9e09fcdefa388b233adba4
SHA256

c73d76731831d1c0eae3f7dcf83548e4536daa46f83b232c0e4c69791ba8324c
SHA512

5110e9ef79a5fdfd86a8bed8d8b78ce824492997de78511bd1d8a5ffb464ad751a01f311a96c67138fd97227d574e7853fc1aef1e7d5e1387e629d157bd69337
SSDEEP

6144:m3u/HCL8/qYzaJHNJR5F42Cl9LdrY70dd0gQSY7D2tlufFGyKjqi2TB:m3uqsqq2HNJR53GBrYwX0gQKllnjqrTB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1448	8624bb62621e239b597ebd519ab37f26.exe

Executes dropped EXE 1 IoCs

pid	Process
1448	8624bb62621e239b597ebd519ab37f26.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	8624bb62621e239b597ebd519ab37f26.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1520	8624bb62621e239b597ebd519ab37f26.exe
1448	8624bb62621e239b597ebd519ab37f26.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1448	1520	8624bb62621e239b597ebd519ab37f26.exe	83
PID 1520 wrote to memory of 1448	1520	8624bb62621e239b597ebd519ab37f26.exe	83
PID 1520 wrote to memory of 1448	1520	8624bb62621e239b597ebd519ab37f26.exe	83

C:\Users\Admin\AppData\Local\Temp\8624bb62621e239b597ebd519ab37f26.exe
"C:\Users\Admin\AppData\Local\Temp\8624bb62621e239b597ebd519ab37f26.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\8624bb62621e239b597ebd519ab37f26.exe
  C:\Users\Admin\AppData\Local\Temp\8624bb62621e239b597ebd519ab37f26.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8624bb62621e239b597ebd519ab37f26.exe

Filesize
385KB

MD5
1a1fd989a6ae14762d5d62b29876f56d

SHA1
cd51643da6d19bdd4c5968e24bcf4ff04b72a1c5

SHA256
558b90503f023349d2c1c1d1560522b0b2c7270481bd808ff6060fc8e0848874

SHA512
49b3ea36d94eb0084962152a8df60a920d8ba7b8b4a6c41d4db7e5fc5446462e91b65930580207b2e02af092b88d40caf7346dcaf55f581e0fa8e15eab1bd4f6

Download Submit
memory/1448-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1448-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1448-20-0x0000000004F20000-0x0000000004F7F000-memory.dmp

Filesize
380KB

Download
memory/1448-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1448-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1448-31-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/1448-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1520-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1520-1-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/1520-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1520-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download