f2e0347fc94cf741aa7ba76ccc84bf91b204f7b08a7e0b338d9ed41fdf639c39

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a0f5dbf5f2ef646de67d0e8e3197c6.exe
Size

771KB
MD5

97a0f5dbf5f2ef646de67d0e8e3197c6
SHA1

76245325c32e9ac99025a7e9bc94b0bf42cd6188
SHA256

f2e0347fc94cf741aa7ba76ccc84bf91b204f7b08a7e0b338d9ed41fdf639c39
SHA512

dab5aa28ded821da9115699b64147594accdf00dbefb2a9c821962ec6f65dd4c28134fcfaa56ee71ac7a797ab0799175827dafbb1f53a386ea1b9d0882777113
SSDEEP

12288:SywCZeXw0XEFDKMIOXUpSbGCMhsrxFrb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRgT:SbA6Ok5CnrxNb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3588	97a0f5dbf5f2ef646de67d0e8e3197c6.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	97a0f5dbf5f2ef646de67d0e8e3197c6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	97a0f5dbf5f2ef646de67d0e8e3197c6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3052	97a0f5dbf5f2ef646de67d0e8e3197c6.exe
3588	97a0f5dbf5f2ef646de67d0e8e3197c6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3588	3052	97a0f5dbf5f2ef646de67d0e8e3197c6.exe	85
PID 3052 wrote to memory of 3588	3052	97a0f5dbf5f2ef646de67d0e8e3197c6.exe	85
PID 3052 wrote to memory of 3588	3052	97a0f5dbf5f2ef646de67d0e8e3197c6.exe	85

C:\Users\Admin\AppData\Local\Temp\97a0f5dbf5f2ef646de67d0e8e3197c6.exe
"C:\Users\Admin\AppData\Local\Temp\97a0f5dbf5f2ef646de67d0e8e3197c6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\97a0f5dbf5f2ef646de67d0e8e3197c6.exe
  C:\Users\Admin\AppData\Local\Temp\97a0f5dbf5f2ef646de67d0e8e3197c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97a0f5dbf5f2ef646de67d0e8e3197c6.exe

Filesize
771KB

MD5
1773bc9c32eb769a5debaba7f5e4e138

SHA1
72fbfad9467a3393e0b2520c66577559a3356e5a

SHA256
0f31f004467015b6b694abe8a4bc2f171b1e6e4098ecb2e2874c68152cb75c2d

SHA512
11e925e796b084ca591dc99d96f022355276549b50999a41178ced942285997dff192201dc139e087ae012fd228258879fc0f1a468dd35c296af6a773315db5d

Download Submit
memory/3052-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3052-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3052-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3588-15-0x0000000001540000-0x00000000015A6000-memory.dmp

Filesize
408KB

Download
memory/3588-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3588-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/3588-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3588-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3588-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3588-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download