cbd7ff3a99d442becd3400adce44a38a9a4f1eaf5114465b54dd02d0c092d54c

Analysis

max time kernel
88s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aea5b422c068c97527d822817677e28.exe
Size

385KB
MD5

8aea5b422c068c97527d822817677e28
SHA1

7cc45fa57c2470660d59af2aecad4e37810734cb
SHA256

cbd7ff3a99d442becd3400adce44a38a9a4f1eaf5114465b54dd02d0c092d54c
SHA512

8c5bb0a3c8e8983032621301a41d6241c93f490e97a489ad0e4ba099de612f8c42a2cfe2c35f759b097a6cd392fe8a65cc9b6b154a0e0e5c4c27ae3cd50a052a
SSDEEP

12288:EM6jwMdhR1ZyHXU3qrDUJRvhCiSKr1X9VBok1B:P6jPh/Zyk3SgJ1giScNXok1B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1220	8aea5b422c068c97527d822817677e28.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	8aea5b422c068c97527d822817677e28.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1516	8aea5b422c068c97527d822817677e28.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1516	8aea5b422c068c97527d822817677e28.exe
1220	8aea5b422c068c97527d822817677e28.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1220	1516	8aea5b422c068c97527d822817677e28.exe	88
PID 1516 wrote to memory of 1220	1516	8aea5b422c068c97527d822817677e28.exe	88
PID 1516 wrote to memory of 1220	1516	8aea5b422c068c97527d822817677e28.exe	88

C:\Users\Admin\AppData\Local\Temp\8aea5b422c068c97527d822817677e28.exe
"C:\Users\Admin\AppData\Local\Temp\8aea5b422c068c97527d822817677e28.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\8aea5b422c068c97527d822817677e28.exe
  C:\Users\Admin\AppData\Local\Temp\8aea5b422c068c97527d822817677e28.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8aea5b422c068c97527d822817677e28.exe

Filesize
385KB

MD5
089c0bb765f9222179539e011d9d7758

SHA1
fb4146a44d15dc5c2878ee76150ff9c0e9f6741c

SHA256
ccde07e2229c9d39dc4f9dfaf1c57c83697a0225595fe791cc6bcfca5d54ac09

SHA512
193ab3d824fd9313fe25fd37c7a788de4b8cd72fc01ef7db46a58f1c18b89ab05e12c03a3c4348b6154e4fbf6af8dfbe26f6d8a8254194704b21b3db84bd5b86

Download Submit
memory/1220-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1220-16-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/1220-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/1220-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1220-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1220-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1516-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1516-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1516-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1516-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download