562b89b879c49197748741f56550765e946f831a2b28b7f204e3494b778d5fa7

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c8a2aff7a7d59e886f1670373dcb8b7.exe
Size

385KB
MD5

8c8a2aff7a7d59e886f1670373dcb8b7
SHA1

940045568512b8cbb5997fb338a18c2b0a8b003c
SHA256

562b89b879c49197748741f56550765e946f831a2b28b7f204e3494b778d5fa7
SHA512

fa9e84d6bf3a604ad3ce6e5d54edd4dcf622857881e4ea29f5c5d1f8eaf532230d15c8dad8c4ed4f3af33b0269e9d3c544851b52e1bd4f8f082228536423d1d1
SSDEEP

12288:mi6XDScKDzY1XcG/hquZdb/q1Vh//zZ+ZtM09hQ6iGPmmfIB4eXCqnFAXl4B:oWcEOX9/gw/yVhzmte6immdol4B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1552	8c8a2aff7a7d59e886f1670373dcb8b7.exe

Executes dropped EXE 1 IoCs

pid	Process
1552	8c8a2aff7a7d59e886f1670373dcb8b7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3232	8c8a2aff7a7d59e886f1670373dcb8b7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3232	8c8a2aff7a7d59e886f1670373dcb8b7.exe
1552	8c8a2aff7a7d59e886f1670373dcb8b7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1552	3232	8c8a2aff7a7d59e886f1670373dcb8b7.exe	84
PID 3232 wrote to memory of 1552	3232	8c8a2aff7a7d59e886f1670373dcb8b7.exe	84
PID 3232 wrote to memory of 1552	3232	8c8a2aff7a7d59e886f1670373dcb8b7.exe	84

C:\Users\Admin\AppData\Local\Temp\8c8a2aff7a7d59e886f1670373dcb8b7.exe
"C:\Users\Admin\AppData\Local\Temp\8c8a2aff7a7d59e886f1670373dcb8b7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\8c8a2aff7a7d59e886f1670373dcb8b7.exe
  C:\Users\Admin\AppData\Local\Temp\8c8a2aff7a7d59e886f1670373dcb8b7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c8a2aff7a7d59e886f1670373dcb8b7.exe

Filesize
385KB

MD5
4ce8d4a9ac9119c2a1af7873a7b9bbf1

SHA1
b39283bc54bd42e7178e4cd8bcfd918d69742e1d

SHA256
613bb23051765ca49a424b73c06b41f54379f7ebf65427e33a616f2b1dc12d94

SHA512
28b73c7f0dd2de3820da97791175fedafabac9b5fe86c9ac9cf74cb5e8b4f860ed67868692360c815ba6238232b7054785775587ce0425f7a7728c8cda90c987

Download Submit
memory/1552-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1552-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1552-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1552-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1552-34-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/1552-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3232-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3232-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3232-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3232-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download