ed21b5336abc1eea31c28f4b7dc7b1d35942cf5b9cebba91184952b66bd24cce

Analysis

max time kernel
90s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 11:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86caf6cff0b57b7ccfba57668c2a6023.exe
Size

907KB
MD5

86caf6cff0b57b7ccfba57668c2a6023
SHA1

268738f8a7e4360051cbe93e867244c96377ed1f
SHA256

ed21b5336abc1eea31c28f4b7dc7b1d35942cf5b9cebba91184952b66bd24cce
SHA512

ef75448ad5010b81abd48d75ae806a37734f8ebcfa49539e3551b9d2a384b461029f6932fe9dc876ba9d9946cabbade57e76352465a486cc4fd5a52314bcfc65
SSDEEP

24576:46gJRH9rfCaj2OOMl7qXGWwKHtDcLKhrt2Ya/ZS1:Hg5rxjNNP6ZKKhrttgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	86caf6cff0b57b7ccfba57668c2a6023.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	86caf6cff0b57b7ccfba57668c2a6023.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3652	86caf6cff0b57b7ccfba57668c2a6023.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3652	86caf6cff0b57b7ccfba57668c2a6023.exe
2756	86caf6cff0b57b7ccfba57668c2a6023.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2756	3652	86caf6cff0b57b7ccfba57668c2a6023.exe	86
PID 3652 wrote to memory of 2756	3652	86caf6cff0b57b7ccfba57668c2a6023.exe	86
PID 3652 wrote to memory of 2756	3652	86caf6cff0b57b7ccfba57668c2a6023.exe	86

C:\Users\Admin\AppData\Local\Temp\86caf6cff0b57b7ccfba57668c2a6023.exe
"C:\Users\Admin\AppData\Local\Temp\86caf6cff0b57b7ccfba57668c2a6023.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\86caf6cff0b57b7ccfba57668c2a6023.exe
  C:\Users\Admin\AppData\Local\Temp\86caf6cff0b57b7ccfba57668c2a6023.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86caf6cff0b57b7ccfba57668c2a6023.exe

Filesize
907KB

MD5
3e0e553661c6b60affadc3f39ca77d5e

SHA1
4fe8c95bfad14c7771e9fdd499654ad4fdaf5224

SHA256
76389f8e0272193923508c3b3dff9d6f1978e8a2d7d5ec9f2f7c1d4776cecbf8

SHA512
16c4ee35ae42e0d58512be0518a97e7530e0f09e71ebf872ce0f9fb578d0e9727b4cb2714dd343d81c1d8b7832ff0c4614fe446ffedc4e1dc64510af7ba59878

Download Submit
memory/2756-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2756-15-0x0000000001820000-0x0000000001908000-memory.dmp

Filesize
928KB

Download
memory/2756-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/2756-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2756-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-34-0x000000000D860000-0x000000000D8F8000-memory.dmp

Filesize
608KB

Download
memory/3652-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3652-1-0x0000000001680000-0x0000000001768000-memory.dmp

Filesize
928KB

Download
memory/3652-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3652-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download