2add8a21046d66aca9627c3a4247d35478670ffc2659dd78eb24f9d176f49b76

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f7cb4b894bf01641e7094705758572e.exe
Size

385KB
MD5

8f7cb4b894bf01641e7094705758572e
SHA1

3092a091881536a4d99bd17aaaf256821af937d3
SHA256

2add8a21046d66aca9627c3a4247d35478670ffc2659dd78eb24f9d176f49b76
SHA512

32155d7d30b3baee6d40032c62cccc694e0f116e27647d59f23d97bc763e334410fbc9923eb9ef49ec85340e785793647051d8af3d62953ea1d9771e7d3015f0
SSDEEP

6144:/m5V5DcpkeeZQs5iZJSTVv4qFjiAk6XajXE+FgFIf+ZIhWqL7Z6rG/fbQs6svwTB:u5VZk/wwmOj7gFImzo7QwxvwTB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
900	8f7cb4b894bf01641e7094705758572e.exe

Executes dropped EXE 1 IoCs

pid	Process
900	8f7cb4b894bf01641e7094705758572e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
3	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
100	8f7cb4b894bf01641e7094705758572e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
100	8f7cb4b894bf01641e7094705758572e.exe
900	8f7cb4b894bf01641e7094705758572e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 900	100	8f7cb4b894bf01641e7094705758572e.exe	87
PID 100 wrote to memory of 900	100	8f7cb4b894bf01641e7094705758572e.exe	87
PID 100 wrote to memory of 900	100	8f7cb4b894bf01641e7094705758572e.exe	87

C:\Users\Admin\AppData\Local\Temp\8f7cb4b894bf01641e7094705758572e.exe
"C:\Users\Admin\AppData\Local\Temp\8f7cb4b894bf01641e7094705758572e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\8f7cb4b894bf01641e7094705758572e.exe
  C:\Users\Admin\AppData\Local\Temp\8f7cb4b894bf01641e7094705758572e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f7cb4b894bf01641e7094705758572e.exe

Filesize
385KB

MD5
d23feb94e68521e5e620459204935ee9

SHA1
c134b954a9224dc77f78d1013cd04e3bf49e4441

SHA256
12df27790441eed9eaf2c3a9f5a4cc0665395674de0992d06af5b599ab92fc59

SHA512
f0c19a8fe2b9fc801ffb1eac3b39ad8119012e8851c9fd105be87c9aa67a92b01c01c608219c0eb08e4bc12fcb907687fc3d244dde725e28d9bad7dbd880b7de

Download Submit
memory/100-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/100-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/100-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/100-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/900-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/900-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/900-20-0x00000000015D0000-0x000000000162F000-memory.dmp

Filesize
380KB

Download
memory/900-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/900-38-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/900-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/900-39-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download