06661a5df77ec5461ad9f6e24bced5cd0682e8ae6cb43981e749dfa895c8244c

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2506bff345f35bf743bc85898ff034.exe
Size

385KB
MD5

8a2506bff345f35bf743bc85898ff034
SHA1

ea279d0d841752a0200ff60337cfb9815bbad74f
SHA256

06661a5df77ec5461ad9f6e24bced5cd0682e8ae6cb43981e749dfa895c8244c
SHA512

9c3c66bd7d557116e6dd063aad2af93741ca6a9e7a7627e3a615b961204cd71b8dd87d5e4ae4f26a44de1d606e9e8d84dfd3b631697ed45e043d7bcab8282f40
SSDEEP

6144:PjbwMBTRcVfkmwhUentyNv7eSMxnnIqLhNkP+qzKrYUv5QBBOJDCC2s2CHEOn3tB:1ReIKenc7Cxnn3hu+frFv5QBkt9B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4328	8a2506bff345f35bf743bc85898ff034.exe

Executes dropped EXE 1 IoCs

pid	Process
4328	8a2506bff345f35bf743bc85898ff034.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
224	8a2506bff345f35bf743bc85898ff034.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
224	8a2506bff345f35bf743bc85898ff034.exe
4328	8a2506bff345f35bf743bc85898ff034.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4328	224	8a2506bff345f35bf743bc85898ff034.exe	84
PID 224 wrote to memory of 4328	224	8a2506bff345f35bf743bc85898ff034.exe	84
PID 224 wrote to memory of 4328	224	8a2506bff345f35bf743bc85898ff034.exe	84

C:\Users\Admin\AppData\Local\Temp\8a2506bff345f35bf743bc85898ff034.exe
"C:\Users\Admin\AppData\Local\Temp\8a2506bff345f35bf743bc85898ff034.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\8a2506bff345f35bf743bc85898ff034.exe
  C:\Users\Admin\AppData\Local\Temp\8a2506bff345f35bf743bc85898ff034.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a2506bff345f35bf743bc85898ff034.exe

Filesize
385KB

MD5
fe0dcc469bc761a68b95dec7afe9fae8

SHA1
88a22b1a1667735d0210e20d6db77b538adc3501

SHA256
15ab737c48f12e8a9898cd953944ff12f3e290beeb5947482035c30eefa062a6

SHA512
60e838659dc30afe5396cb5bc7260f46a8d9810d0ba274378c8ab8deea36e0ef7555bc21af15cc363eadd214a3bea631c032f192d2c188f48313a45ad1b97191

Download Submit
memory/224-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/224-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/224-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/224-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4328-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4328-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4328-20-0x00000000015D0000-0x000000000162F000-memory.dmp

Filesize
380KB

Download
memory/4328-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4328-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/4328-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download