6dae85febacbe70d20b6e966353d5eabda4ac257155554cdbf02bec6ee5468c4

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8d346afabdb64f144ccee9d67c49dd.exe
Size

385KB
MD5

8b8d346afabdb64f144ccee9d67c49dd
SHA1

3083f56c499c9c523376bccd7908a0e702b6ead6
SHA256

6dae85febacbe70d20b6e966353d5eabda4ac257155554cdbf02bec6ee5468c4
SHA512

e04bbc4b28c7cb6c836f7364a70ae53d92529a5de81e59ae14362cd8ef2ba5edcad521c60503164d61e08301e962516c05497411ccde7f1110faa3dcd2e3b201
SSDEEP

6144:5inok8sNpilF9UziIvyUfAkMh2GRoTFY+8GDcphIVqAIrlQWFK3o0svRqZvN69PG:5iokHwlF93iDfDFHL8GwhwjILULB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3852	8b8d346afabdb64f144ccee9d67c49dd.exe

Executes dropped EXE 1 IoCs

pid	Process
3852	8b8d346afabdb64f144ccee9d67c49dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	8b8d346afabdb64f144ccee9d67c49dd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	8b8d346afabdb64f144ccee9d67c49dd.exe
3852	8b8d346afabdb64f144ccee9d67c49dd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3852	2928	8b8d346afabdb64f144ccee9d67c49dd.exe	87
PID 2928 wrote to memory of 3852	2928	8b8d346afabdb64f144ccee9d67c49dd.exe	87
PID 2928 wrote to memory of 3852	2928	8b8d346afabdb64f144ccee9d67c49dd.exe	87

C:\Users\Admin\AppData\Local\Temp\8b8d346afabdb64f144ccee9d67c49dd.exe
"C:\Users\Admin\AppData\Local\Temp\8b8d346afabdb64f144ccee9d67c49dd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\8b8d346afabdb64f144ccee9d67c49dd.exe
  C:\Users\Admin\AppData\Local\Temp\8b8d346afabdb64f144ccee9d67c49dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b8d346afabdb64f144ccee9d67c49dd.exe

Filesize
256KB

MD5
98be0f94c0b760ff2185c6ab70593dc5

SHA1
cadb5692931fe21e69d78abef8fff7c804556716

SHA256
befb7c26d58fc724231213b6a684a5d0f3524d982d1095d8400d891ac38e1f66

SHA512
140e080e7dea292141ddac59f3d140382a269afaa69c42dbd35b63c48d3c0cbde6b94f736ce58945c164f2d936aa4bc3e4fc451fd8eacf5613cea01d59c5b4fc

Download Submit
memory/2928-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2928-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2928-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2928-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3852-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3852-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3852-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-20-0x0000000001600000-0x000000000165F000-memory.dmp

Filesize
380KB

Download
memory/3852-33-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/3852-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3852-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download