68c6a48c7c3b9ba71c523e0f3830b4d992448d8ddb67f451c587e48067a523e0

Analysis

max time kernel
97s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fc8b804ab181c2256d94f0b87a9c0ee.exe
Size

385KB
MD5

8fc8b804ab181c2256d94f0b87a9c0ee
SHA1

961e148de2f769f3ee38c0580399c15b7ef14b06
SHA256

68c6a48c7c3b9ba71c523e0f3830b4d992448d8ddb67f451c587e48067a523e0
SHA512

b4edc17054562ce46b31f842636362a705638d04263787ea14618485041b0d53cb99253e47f0751c3eb51062c09cbb1fcbf031acfd3c090e8e71aa9229a1faff
SSDEEP

6144:elGz8S0/bgyQ/A3DmHNdS6Hlx4m39SNgYlu8F6eCInOhsxfv5krgAzZle+MHMKTs:eIP0//QgDAWQx/tolB79OWxnDAeiKfKB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2324	8fc8b804ab181c2256d94f0b87a9c0ee.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	8fc8b804ab181c2256d94f0b87a9c0ee.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2944	8fc8b804ab181c2256d94f0b87a9c0ee.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2944	8fc8b804ab181c2256d94f0b87a9c0ee.exe
2324	8fc8b804ab181c2256d94f0b87a9c0ee.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2324	2944	8fc8b804ab181c2256d94f0b87a9c0ee.exe	34
PID 2944 wrote to memory of 2324	2944	8fc8b804ab181c2256d94f0b87a9c0ee.exe	34
PID 2944 wrote to memory of 2324	2944	8fc8b804ab181c2256d94f0b87a9c0ee.exe	34

C:\Users\Admin\AppData\Local\Temp\8fc8b804ab181c2256d94f0b87a9c0ee.exe
"C:\Users\Admin\AppData\Local\Temp\8fc8b804ab181c2256d94f0b87a9c0ee.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\8fc8b804ab181c2256d94f0b87a9c0ee.exe
  C:\Users\Admin\AppData\Local\Temp\8fc8b804ab181c2256d94f0b87a9c0ee.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8fc8b804ab181c2256d94f0b87a9c0ee.exe

Filesize
164KB

MD5
fc94dbe6e4e698e48cc3a25a77699524

SHA1
519dc8ef0198dc82a7b21d2d141269ba610378a4

SHA256
0170c722f4c93b2d58be1ece8ba724182e4c907aa7ed2c3b8b56dc41d784074c

SHA512
cfc17120094c15b1ff46798545ce689129de3984db84ca62e0d2d1ccf0db3155bf807fe36f59d4efa8b7ca80fd2808f42e5c82fdbfa18b605ca19aaac2edec2d

Download Submit
memory/2324-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2324-16-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/2324-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/2324-34-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/2324-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2324-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2944-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2944-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2944-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2944-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download