a4f8e5b93ec6ff7d77bf995c1257a541f1ae047e8eaae263f63c39bb71b93bac

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d187d68c3e9603cd71e2e71ef6be08.exe
Size

385KB
MD5

95d187d68c3e9603cd71e2e71ef6be08
SHA1

fb89ad3cd62ac87d234e902aae21d0f703795e1e
SHA256

a4f8e5b93ec6ff7d77bf995c1257a541f1ae047e8eaae263f63c39bb71b93bac
SHA512

7e653eb8840ba2280cbe3505eb819946f780cb047cc2b53760096d55b529592a3179a823cdae6109be692cb3546f4f9aa6a05ede27bd035aad9ccb3de2fdf0ad
SSDEEP

12288:fDXS7X9Eiji87QOS6RhYB4VEpp61NP+K6Cyt4B:bS7XRe87b2Hw6gB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2472	95d187d68c3e9603cd71e2e71ef6be08.exe

Executes dropped EXE 1 IoCs

pid	Process
2472	95d187d68c3e9603cd71e2e71ef6be08.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1460	95d187d68c3e9603cd71e2e71ef6be08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4752	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1460	95d187d68c3e9603cd71e2e71ef6be08.exe
2472	95d187d68c3e9603cd71e2e71ef6be08.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2472	1460	95d187d68c3e9603cd71e2e71ef6be08.exe	86
PID 1460 wrote to memory of 2472	1460	95d187d68c3e9603cd71e2e71ef6be08.exe	86
PID 1460 wrote to memory of 2472	1460	95d187d68c3e9603cd71e2e71ef6be08.exe	86

C:\Users\Admin\AppData\Local\Temp\95d187d68c3e9603cd71e2e71ef6be08.exe
"C:\Users\Admin\AppData\Local\Temp\95d187d68c3e9603cd71e2e71ef6be08.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\95d187d68c3e9603cd71e2e71ef6be08.exe
  C:\Users\Admin\AppData\Local\Temp\95d187d68c3e9603cd71e2e71ef6be08.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95d187d68c3e9603cd71e2e71ef6be08.exe

Filesize
385KB

MD5
43487757bbed5f8c255211262d6a09bd

SHA1
22e200280dc61d14c8b8a1ca1d87aa904a1f3742

SHA256
f50d51c28cbe3509efdf03e7378f325fc04a707d1d10bcb5917c1d2e056ca3bc

SHA512
5d51614f0f0f9e1a92c891a10ce094237305956357b26281e7562fdb0549c518e9f8f632cc7aa69a430f71e90b3a0093095a523f3c50986b9a2e26ee8c1d5805

Download Submit
memory/1460-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1460-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1460-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1460-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2472-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/2472-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2472-23-0x0000000004F20000-0x0000000004F7F000-memory.dmp

Filesize
380KB

Download
memory/2472-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2472-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2472-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2472-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4752-53-0x000001E493460000-0x000001E493470000-memory.dmp

Filesize
64KB

Download
memory/4752-71-0x000001E49B800000-0x000001E49B801000-memory.dmp

Filesize
4KB

Download
memory/4752-72-0x000001E49B800000-0x000001E49B801000-memory.dmp

Filesize
4KB

Download
memory/4752-73-0x000001E49B910000-0x000001E49B911000-memory.dmp

Filesize
4KB

Download
memory/4752-69-0x000001E49B7D0000-0x000001E49B7D1000-memory.dmp

Filesize
4KB

Download
memory/4752-37-0x000001E493360000-0x000001E493370000-memory.dmp

Filesize
64KB

Download