7e4da520a3db5c10cb4f835488f9585c25a42872b6f4422a8711939f6eff63a4

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8660280e62243208195310b81329dc66.exe
Size

385KB
MD5

8660280e62243208195310b81329dc66
SHA1

608e95ec71a230d886ad96afaa557cb980f6dbaf
SHA256

7e4da520a3db5c10cb4f835488f9585c25a42872b6f4422a8711939f6eff63a4
SHA512

0619b0814dc09d4d35f81073f04affcfa012fcbc3e18925f1da8f9b97a6746a3be36dd7b6462396f62ad50cf712b622071daa77bb080a45a09d9d5197feac278
SSDEEP

6144:JuNJQJ0QYK+ymcrBGKs8SWdw6DlUQ4Mmaq5wzjRGQwEqHxP0Ntt8CsktlkFQokjB:qoFuFODlUQxmajzlGQw790Nj7VKFeB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
812	8660280e62243208195310b81329dc66.exe

Executes dropped EXE 1 IoCs

pid	Process
812	8660280e62243208195310b81329dc66.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1304	8660280e62243208195310b81329dc66.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1304	8660280e62243208195310b81329dc66.exe
812	8660280e62243208195310b81329dc66.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 812	1304	8660280e62243208195310b81329dc66.exe	84
PID 1304 wrote to memory of 812	1304	8660280e62243208195310b81329dc66.exe	84
PID 1304 wrote to memory of 812	1304	8660280e62243208195310b81329dc66.exe	84

C:\Users\Admin\AppData\Local\Temp\8660280e62243208195310b81329dc66.exe
"C:\Users\Admin\AppData\Local\Temp\8660280e62243208195310b81329dc66.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\8660280e62243208195310b81329dc66.exe
  C:\Users\Admin\AppData\Local\Temp\8660280e62243208195310b81329dc66.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8660280e62243208195310b81329dc66.exe

Filesize
385KB

MD5
931d4755bc0f0e7f26cc8ed3b5eef8f6

SHA1
f280a774f21d7b5293ee7c602c6678cd0b740818

SHA256
15044ad81dcaa4bed0838a507dc549d91851286fffb3f8cf1a3f40bcb1be2da0

SHA512
49b8af0a1ab02a0482ed27180c64b7ffa01db84c2cc9e9b2c8b90d9155b7895435491fcd6d9c8329fe7283d74aaee51f719fc32f6a5177091ea5a9a313415e5b

Download Submit
memory/812-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/812-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/812-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/812-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/812-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/812-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1304-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1304-1-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/1304-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1304-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download