9a1797532650f19aa40b0726b0d452dd13cb8af46851515671248c18e1188a18

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d83452877db6c082eca35276f169676.exe
Size

385KB
MD5

8d83452877db6c082eca35276f169676
SHA1

a9900804272f2320d8eff3d37ae6b8ba15b980a6
SHA256

9a1797532650f19aa40b0726b0d452dd13cb8af46851515671248c18e1188a18
SHA512

bc4bcfa72f12099adb31143b9affdd703d851f474f4afd1630060e06239a90bee013b41709965f46afa93485925fdd749d9a793e9cd2338c00baf15fb8a7cf72
SSDEEP

12288:FepfH8rhRJ12qgmoFJUeqW67wFYISvqPB:mfc1RJxMUeqh7LISvOB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
376	8d83452877db6c082eca35276f169676.exe

Executes dropped EXE 1 IoCs

pid	Process
376	8d83452877db6c082eca35276f169676.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4696	8d83452877db6c082eca35276f169676.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4696	8d83452877db6c082eca35276f169676.exe
376	8d83452877db6c082eca35276f169676.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 376	4696	8d83452877db6c082eca35276f169676.exe	84
PID 4696 wrote to memory of 376	4696	8d83452877db6c082eca35276f169676.exe	84
PID 4696 wrote to memory of 376	4696	8d83452877db6c082eca35276f169676.exe	84

C:\Users\Admin\AppData\Local\Temp\8d83452877db6c082eca35276f169676.exe
"C:\Users\Admin\AppData\Local\Temp\8d83452877db6c082eca35276f169676.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\8d83452877db6c082eca35276f169676.exe
  C:\Users\Admin\AppData\Local\Temp\8d83452877db6c082eca35276f169676.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d83452877db6c082eca35276f169676.exe

Filesize
385KB

MD5
e7eec50aa7f247a8a4fcdb129101c730

SHA1
43f80fd08299e016f9b96ee5a6ce2ce36cd90bfe

SHA256
eec52143209c762aec1765c7d46689fccb95f76072756f70cc2f74994ed12735

SHA512
e076b2dd755828796b51a1f04aea13114b6389ee289f3c9e9a3228b74dcecba351c6e4d07996bacfbde32113075c6dee481a28a0b8d8174e989c8d29d7dd4b61

Download Submit
memory/376-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/376-14-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/376-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/376-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/376-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/376-31-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/376-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4696-1-0x0000000001540000-0x00000000015A6000-memory.dmp

Filesize
408KB

Download
memory/4696-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4696-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download