2d25249118a02cf29002a537534e150f4e178ac38303e5e1b13c3889d3dea6c4

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e554acd68c11a9be2ad1d1fd8084e98.exe
Size

771KB
MD5

8e554acd68c11a9be2ad1d1fd8084e98
SHA1

ef3d57088d971a07c95e2e5f648f67735b84ebd2
SHA256

2d25249118a02cf29002a537534e150f4e178ac38303e5e1b13c3889d3dea6c4
SHA512

ddc4f1a8cb9422d6d6ec9358edd4bf1bc2e860bff8fbbd640294edb5bc4bc16a12099c97994e2843cb4936844e36dbf32378135ce0290378895b96502c22356c
SSDEEP

24576:i5yGSxqCGd6sn4Wb10hJaothZ2/T6FBBB:fxDkF4Q/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3792	8e554acd68c11a9be2ad1d1fd8084e98.exe

Executes dropped EXE 1 IoCs

pid	Process
3792	8e554acd68c11a9be2ad1d1fd8084e98.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4272	8e554acd68c11a9be2ad1d1fd8084e98.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4272	8e554acd68c11a9be2ad1d1fd8084e98.exe
3792	8e554acd68c11a9be2ad1d1fd8084e98.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3792	4272	8e554acd68c11a9be2ad1d1fd8084e98.exe	84
PID 4272 wrote to memory of 3792	4272	8e554acd68c11a9be2ad1d1fd8084e98.exe	84
PID 4272 wrote to memory of 3792	4272	8e554acd68c11a9be2ad1d1fd8084e98.exe	84

C:\Users\Admin\AppData\Local\Temp\8e554acd68c11a9be2ad1d1fd8084e98.exe
"C:\Users\Admin\AppData\Local\Temp\8e554acd68c11a9be2ad1d1fd8084e98.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\8e554acd68c11a9be2ad1d1fd8084e98.exe
  C:\Users\Admin\AppData\Local\Temp\8e554acd68c11a9be2ad1d1fd8084e98.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e554acd68c11a9be2ad1d1fd8084e98.exe

Filesize
771KB

MD5
5b754dddf5775e9f81ece415b55505f0

SHA1
356b6a7b9a03759c9eed908c0892a95f0b8544b1

SHA256
9fc4673f78eea2b769eb8b886db6deee35faf493465631b22d3c0304c9f8b00b

SHA512
1963af9c9de188c90e34ed89c692c77ecada095637a80fcc9107f2e8715685e95db4e4dbf1a284fd3b6efd82b04ec52ddb5176ecb2e173bb2a59d24342b50ccf

Download Submit
memory/3792-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3792-15-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3792-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3792-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3792-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3792-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4272-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4272-1-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/4272-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4272-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download