d1b70362b6d33de52a60e5b3958069bc4cc1ab0c4b3a53f192237685ff0555b6

Analysis

max time kernel
88s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f2e37873134293113e5bb81c53d3dfe.exe
Size

907KB
MD5

8f2e37873134293113e5bb81c53d3dfe
SHA1

1af80bd5d27acb8049f7356577f55910bb51cae3
SHA256

d1b70362b6d33de52a60e5b3958069bc4cc1ab0c4b3a53f192237685ff0555b6
SHA512

289351db36a1768e62ae7717c0da3bf60df3ae8ea6cc19b84d0128d6d16deba8d48185d79fa57d0a73c603aaff2f59f4ed714c7fff67cf9a3c426287f07f7054
SSDEEP

12288:y3i5n3d/7FjQFYI3nCHJcecPr8C5g9ES1cvA1huus1rY8BnFVajVDa/ZS1:rB7Fsv8Cr8CNVzFVoa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3744	8f2e37873134293113e5bb81c53d3dfe.exe

Executes dropped EXE 1 IoCs

pid	Process
3744	8f2e37873134293113e5bb81c53d3dfe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2592	8f2e37873134293113e5bb81c53d3dfe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2592	8f2e37873134293113e5bb81c53d3dfe.exe
3744	8f2e37873134293113e5bb81c53d3dfe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3744	2592	8f2e37873134293113e5bb81c53d3dfe.exe	88
PID 2592 wrote to memory of 3744	2592	8f2e37873134293113e5bb81c53d3dfe.exe	88
PID 2592 wrote to memory of 3744	2592	8f2e37873134293113e5bb81c53d3dfe.exe	88

C:\Users\Admin\AppData\Local\Temp\8f2e37873134293113e5bb81c53d3dfe.exe
"C:\Users\Admin\AppData\Local\Temp\8f2e37873134293113e5bb81c53d3dfe.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\8f2e37873134293113e5bb81c53d3dfe.exe
  C:\Users\Admin\AppData\Local\Temp\8f2e37873134293113e5bb81c53d3dfe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f2e37873134293113e5bb81c53d3dfe.exe

Filesize
907KB

MD5
ceec6d46c9a5608662fb91f7a1fe3a80

SHA1
c3292b9e0e1983c0e525628dddc44c80df46d9f6

SHA256
0df96bc63b7ae9bf9bc0c9fa95c592643f954b80f089864ac84ce082192bcdbf

SHA512
e092148347d7773d092c7dc99254fb7d390d8f709e5b0ddab8d88ca63b9bf21f2bc285deac1d0d3a8e9954f8f7d745c2de15f2b25b2e20da6625d3ed18454e14

Download Submit
memory/2592-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2592-1-0x00000000017A0000-0x0000000001888000-memory.dmp

Filesize
928KB

Download
memory/2592-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2592-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3744-15-0x0000000001670000-0x0000000001758000-memory.dmp

Filesize
928KB

Download
memory/3744-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3744-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3744-22-0x0000000005130000-0x00000000051EB000-memory.dmp

Filesize
748KB

Download
memory/3744-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download