d21751556aa42fab53b17a196f85cebe3c077900c4a435a011f0c7b246ba1101

Analysis

max time kernel
87s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b42971b2ff27569006b24f34395768.exe
Size

385KB
MD5

86b42971b2ff27569006b24f34395768
SHA1

ff28393cee82d65410198410b6871919134a2878
SHA256

d21751556aa42fab53b17a196f85cebe3c077900c4a435a011f0c7b246ba1101
SHA512

68b1abe4979bf8fcf8e84b7246d6dda15acab7769c5ec3ebec881407ef5a016def5249457d7f5a92758e13d79a2010163e0e1fb2a9d73093dff9005594f11353
SSDEEP

6144:LyjN+WXYXVxkwcrIFbzb/ph3hai/9BC88WITIjd1Dwi3y2HjWG/ue6QB:mh92VOBrsph3l/9BUB0RyGy+jW2EQB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3512	86b42971b2ff27569006b24f34395768.exe

Executes dropped EXE 1 IoCs

pid	Process
3512	86b42971b2ff27569006b24f34395768.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3864	86b42971b2ff27569006b24f34395768.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3864	86b42971b2ff27569006b24f34395768.exe
3512	86b42971b2ff27569006b24f34395768.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 3512	3864	86b42971b2ff27569006b24f34395768.exe	87
PID 3864 wrote to memory of 3512	3864	86b42971b2ff27569006b24f34395768.exe	87
PID 3864 wrote to memory of 3512	3864	86b42971b2ff27569006b24f34395768.exe	87

C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe
"C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe
  C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe

Filesize
385KB

MD5
791b45c72f9d2e60befbe31964b9282f

SHA1
fb318fda2b4d47fdec394f65a408546b183373ba

SHA256
b30f9f8db3c23fc9f8deff1806254ae4d0fcddab7c679c202f4db154fc67eb92

SHA512
4cdad7953b75c9bee81dc73a42ff632c87b3f8b22335ed9bfe554b0b96b19ef699ef5c01949fdcf2bc7aa1679d75e8c29d1d69af9534acc805c102ba21b94c63

Download Submit
memory/3512-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3512-17-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/3512-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3512-20-0x0000000004F00000-0x0000000004F5F000-memory.dmp

Filesize
380KB

Download
memory/3512-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3512-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3512-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3864-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3864-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/3864-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3864-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download