0d3a7744bb8258525d141c25376fd566b459a07e4415db302758c965105fad02

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b1a2ef2b76d08c29302656a6376d742.exe
Size

771KB
MD5

8b1a2ef2b76d08c29302656a6376d742
SHA1

bea41846d23651ba1d554c47732199fd4ae2e2c4
SHA256

0d3a7744bb8258525d141c25376fd566b459a07e4415db302758c965105fad02
SHA512

16376e796d6d356dcf183d01faabca2264dd727b48a08671d08f30e3e47dd125ffa1561a424ab184d13a2474399d429f4659493996b650522594b46f2dfce1c7
SSDEEP

12288:S1inTsze1xByP44fS8Ac65PzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:DTlYwWS8Ac2tvZWqEIz6qrfiTMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
960	8b1a2ef2b76d08c29302656a6376d742.exe

Executes dropped EXE 1 IoCs

pid	Process
960	8b1a2ef2b76d08c29302656a6376d742.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	8b1a2ef2b76d08c29302656a6376d742.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2352	8b1a2ef2b76d08c29302656a6376d742.exe
960	8b1a2ef2b76d08c29302656a6376d742.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 960	2352	8b1a2ef2b76d08c29302656a6376d742.exe	83
PID 2352 wrote to memory of 960	2352	8b1a2ef2b76d08c29302656a6376d742.exe	83
PID 2352 wrote to memory of 960	2352	8b1a2ef2b76d08c29302656a6376d742.exe	83

C:\Users\Admin\AppData\Local\Temp\8b1a2ef2b76d08c29302656a6376d742.exe
"C:\Users\Admin\AppData\Local\Temp\8b1a2ef2b76d08c29302656a6376d742.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\8b1a2ef2b76d08c29302656a6376d742.exe
  C:\Users\Admin\AppData\Local\Temp\8b1a2ef2b76d08c29302656a6376d742.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b1a2ef2b76d08c29302656a6376d742.exe

Filesize
771KB

MD5
eba446cb3d4ae6b8330a0a7da1ad9694

SHA1
191616b74efbf6f8b2917411d1bf881b7ea48fc5

SHA256
30e1957861b8e2c95bde7ffd361759db0b08cf7f56718c45546123d285996da7

SHA512
9e6be18384ab07eba9520ff4e8d4fb8e2be055871073ec60e4ad2e231a53ba6f94ba9ba51f32a09d89fb3367fad99261c2f9ca8afcc55622e5adc5c355cf076e

Download Submit
memory/960-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/960-15-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/960-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/960-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/960-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/960-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2352-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2352-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2352-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2352-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download