e7d293d5ba88e3e0e29c84b2341e4e7bb27ef77d3a9258cf1ae90c6bcff3f334

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a145b9bb9b86939ec09dc68131f7516.exe
Size

385KB
MD5

9a145b9bb9b86939ec09dc68131f7516
SHA1

af3e9a153281892ada9b23a4613c60f83a8a964b
SHA256

e7d293d5ba88e3e0e29c84b2341e4e7bb27ef77d3a9258cf1ae90c6bcff3f334
SHA512

78e59c6cb2deade6c15b237b072a0c18636149b4b1a0303336f17dc4f545e9d2968c7343f6a32999d1aaa0cc7bc656c0e5ac7c196342dc0b517bf9f298d18f5f
SSDEEP

12288:MJUGTNHnhY0M0LzIS6ckFnkOoVsD4LwpcB:MTZK0BzIdhkwD6B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3816	9a145b9bb9b86939ec09dc68131f7516.exe

Executes dropped EXE 1 IoCs

pid	Process
3816	9a145b9bb9b86939ec09dc68131f7516.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4380	9a145b9bb9b86939ec09dc68131f7516.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4380	9a145b9bb9b86939ec09dc68131f7516.exe
3816	9a145b9bb9b86939ec09dc68131f7516.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3816	4380	9a145b9bb9b86939ec09dc68131f7516.exe	83
PID 4380 wrote to memory of 3816	4380	9a145b9bb9b86939ec09dc68131f7516.exe	83
PID 4380 wrote to memory of 3816	4380	9a145b9bb9b86939ec09dc68131f7516.exe	83

C:\Users\Admin\AppData\Local\Temp\9a145b9bb9b86939ec09dc68131f7516.exe
"C:\Users\Admin\AppData\Local\Temp\9a145b9bb9b86939ec09dc68131f7516.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\9a145b9bb9b86939ec09dc68131f7516.exe
  C:\Users\Admin\AppData\Local\Temp\9a145b9bb9b86939ec09dc68131f7516.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a145b9bb9b86939ec09dc68131f7516.exe

Filesize
385KB

MD5
b455a2e3603c4a2e0c6e041394f26ca8

SHA1
318c2e95434607ae4fe239c4de2ce31f1b09d822

SHA256
7fdd064fc3976619c1ccdaa35840695c9bc31536f939d73d098209689e8a34f2

SHA512
15a3a9e3de0852471620c3e44efdaecaf83a0fbd4e1df5cc83afa5075833229effd451988732936ce2571ee9718629d2a36d47dd3587de2b98d56aa1982188df

Download Submit
memory/3816-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3816-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3816-20-0x0000000004F10000-0x0000000004F6F000-memory.dmp

Filesize
380KB

Download
memory/3816-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3816-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3816-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3816-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4380-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4380-1-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/4380-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4380-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download