34a8ee6eba0da182a7e88746842ea699040e856a52a3eca62b8fbafbd9886fb0

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9795ec5ad4b08b431fc73808c28eec07.exe
Size

385KB
MD5

9795ec5ad4b08b431fc73808c28eec07
SHA1

a2f8a3a0df431b413ebf538ff9c0bbd21937190d
SHA256

34a8ee6eba0da182a7e88746842ea699040e856a52a3eca62b8fbafbd9886fb0
SHA512

e6e3f6f71bccb40ee037c6a21bd412c4351049d699f9f8c2dc9ff4b693a661a0b4ca370eb4e2b01d13d0a6da0de102b10935fa8c2a65d612371020d417ec061f
SSDEEP

12288:/OxpqAqK2OfNWM7uisFDzf56fQEZdze8B:G0AHDsMOF8f/ze8B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3808	9795ec5ad4b08b431fc73808c28eec07.exe

Executes dropped EXE 1 IoCs

pid	Process
3808	9795ec5ad4b08b431fc73808c28eec07.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3348	9795ec5ad4b08b431fc73808c28eec07.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3348	9795ec5ad4b08b431fc73808c28eec07.exe
3808	9795ec5ad4b08b431fc73808c28eec07.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3808	3348	9795ec5ad4b08b431fc73808c28eec07.exe	84
PID 3348 wrote to memory of 3808	3348	9795ec5ad4b08b431fc73808c28eec07.exe	84
PID 3348 wrote to memory of 3808	3348	9795ec5ad4b08b431fc73808c28eec07.exe	84

C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe
"C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe
  C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe

Filesize
385KB

MD5
795e2cbc0f8934aa978d7f598d4ee847

SHA1
2a90916752bc63f73e061cc6d9c00e7a504de081

SHA256
ecf2e0760e3e5228d938caf619a392740463e772a29db9777318eb53d10348e1

SHA512
6bff82074ae53625a684c27abd7bb823185114c614bb7a73580d6edfdf9030f504e9e5d727e44a4426e0a5e8643450f5c7606b0faeac47d5e7255024451eb97e

Download Submit
memory/3348-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3348-1-0x0000000001650000-0x00000000016B6000-memory.dmp

Filesize
408KB

Download
memory/3348-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3348-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3808-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3808-16-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/3808-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3808-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3808-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3808-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download