e2b042db729503f4460effc1bbef1eaf30b02ab70840bc847276d0dd19f464ba

Analysis

max time kernel
88s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982a2a37014fedf4f8fa818a0600415e.exe
Size

907KB
MD5

982a2a37014fedf4f8fa818a0600415e
SHA1

05a71c39ba557444ff99fe7f2b739355a0400bc8
SHA256

e2b042db729503f4460effc1bbef1eaf30b02ab70840bc847276d0dd19f464ba
SHA512

a5271c7ff29d005c4cabe8d9e088cbdd9012c7bf55d4f904eaf60918cc9ca2e5bd85795119fc6f0f20ec9def8a17e2e354fb92810cb0a8c382eb9fb73cc24321
SSDEEP

24576:bMJnIv4Hew/yxwh9XOMEVYyO4qJ2ln/Ka/ZS1:EnIAHd/oI91EVYyO4FCgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3808	982a2a37014fedf4f8fa818a0600415e.exe

Executes dropped EXE 1 IoCs

pid	Process
3808	982a2a37014fedf4f8fa818a0600415e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	982a2a37014fedf4f8fa818a0600415e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2696	982a2a37014fedf4f8fa818a0600415e.exe
3808	982a2a37014fedf4f8fa818a0600415e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3808	2696	982a2a37014fedf4f8fa818a0600415e.exe	84
PID 2696 wrote to memory of 3808	2696	982a2a37014fedf4f8fa818a0600415e.exe	84
PID 2696 wrote to memory of 3808	2696	982a2a37014fedf4f8fa818a0600415e.exe	84

C:\Users\Admin\AppData\Local\Temp\982a2a37014fedf4f8fa818a0600415e.exe
"C:\Users\Admin\AppData\Local\Temp\982a2a37014fedf4f8fa818a0600415e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\982a2a37014fedf4f8fa818a0600415e.exe
  C:\Users\Admin\AppData\Local\Temp\982a2a37014fedf4f8fa818a0600415e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\982a2a37014fedf4f8fa818a0600415e.exe

Filesize
907KB

MD5
cb315b28643d427ff39363ff50a6812a

SHA1
91d089522b4165d8b1e13353bea06ccc526b9c10

SHA256
13266bfda0d3e427e9718e8684e99bb75f00ce3d899b75ab263cac648183c519

SHA512
ab37fee13dccb27219b145d08425a216788fb0f826e32a211fe3acfb976819dd6bad106eb2a6ea2b59ae31d9507c4ebee04ce4a84e4392596bed984752bab3cc

Download Submit
memory/2696-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2696-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/2696-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2696-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3808-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3808-16-0x0000000001680000-0x0000000001768000-memory.dmp

Filesize
928KB

Download
memory/3808-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3808-20-0x0000000005090000-0x000000000514B000-memory.dmp

Filesize
748KB

Download
memory/3808-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3808-34-0x000000000C820000-0x000000000C8B8000-memory.dmp

Filesize
608KB

Download