aa372ecaadcaebd5946a73a788fec72f1771fbb37498b2279ca66071e7be683c

Analysis

max time kernel
88s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd67ef73162dc271ccdc7875386c005.exe
Size

385KB
MD5

8cd67ef73162dc271ccdc7875386c005
SHA1

172d564d5ac49e73ab72b0e6bd10e5a59ee05770
SHA256

aa372ecaadcaebd5946a73a788fec72f1771fbb37498b2279ca66071e7be683c
SHA512

72b2deb64b0e4cf3063ba13d2afd3900354da994a0f45b52ef06df24c15aaabd323d1013706e8a003bff871a84ca391021aad0228f559bbbeb316348c1dfdc59
SSDEEP

12288:bIKmVv98Tn+EJJ5WYuke5RXlhXz/CI5qHJqB:b+VFi+EJvZukePH5mJqB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
632	8cd67ef73162dc271ccdc7875386c005.exe

Executes dropped EXE 1 IoCs

pid	Process
632	8cd67ef73162dc271ccdc7875386c005.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4712	8cd67ef73162dc271ccdc7875386c005.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4712	8cd67ef73162dc271ccdc7875386c005.exe
632	8cd67ef73162dc271ccdc7875386c005.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 632	4712	8cd67ef73162dc271ccdc7875386c005.exe	28
PID 4712 wrote to memory of 632	4712	8cd67ef73162dc271ccdc7875386c005.exe	28
PID 4712 wrote to memory of 632	4712	8cd67ef73162dc271ccdc7875386c005.exe	28

C:\Users\Admin\AppData\Local\Temp\8cd67ef73162dc271ccdc7875386c005.exe
"C:\Users\Admin\AppData\Local\Temp\8cd67ef73162dc271ccdc7875386c005.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\8cd67ef73162dc271ccdc7875386c005.exe
  C:\Users\Admin\AppData\Local\Temp\8cd67ef73162dc271ccdc7875386c005.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8cd67ef73162dc271ccdc7875386c005.exe

Filesize
385KB

MD5
4f836379b54d7f10b679f5ef9542e2d5

SHA1
78c43c1969277288ba4d8021daaf0a0c24aea7e6

SHA256
d3ba6f8188058304fbae927e71beb441fde6bb49530dfb640cff1cdac71d0679

SHA512
1da2cbf9e9a15e21e3d38e20a546cdaf7c5eb20efcd47ff56f36845f4b71730cc322c149970e66db982bb6b3fd3c86e21977832e3b3b9fc05d3495c7415bd718

Download Submit
memory/632-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/632-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/632-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-20-0x00000000015E0000-0x000000000163F000-memory.dmp

Filesize
380KB

Download
memory/632-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/632-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/632-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4712-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4712-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4712-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4712-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download