5cbb92494b71921f0b004f61068887277c7afcadb0ba93fac5cbed9784261861

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985ab6fef66d93eda9fa9b479eba883e.exe
Size

907KB
MD5

985ab6fef66d93eda9fa9b479eba883e
SHA1

ddb4b03166a448e3be7b23a810772edfc58b1204
SHA256

5cbb92494b71921f0b004f61068887277c7afcadb0ba93fac5cbed9784261861
SHA512

b2db0c3c4ed8833abd3376a9b211d73c23ea3f05d5447a20ae712dca88aec88b9f8fa72b7baf02afb3728dff767ecf4ea5743de4aa79d60cae898e662eabfb9e
SSDEEP

12288:4SjXzoxwNym3c2QCbOwFmgYcAjGEVImnZUQQ/ToGIIwP3koWydqakjVDa/ZS1:ZDtQs2Nj4IZxQ/cFIM3knydqaaa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3328	985ab6fef66d93eda9fa9b479eba883e.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	985ab6fef66d93eda9fa9b479eba883e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
6	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
468	985ab6fef66d93eda9fa9b479eba883e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
468	985ab6fef66d93eda9fa9b479eba883e.exe
3328	985ab6fef66d93eda9fa9b479eba883e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3328	468	985ab6fef66d93eda9fa9b479eba883e.exe	85
PID 468 wrote to memory of 3328	468	985ab6fef66d93eda9fa9b479eba883e.exe	85
PID 468 wrote to memory of 3328	468	985ab6fef66d93eda9fa9b479eba883e.exe	85

C:\Users\Admin\AppData\Local\Temp\985ab6fef66d93eda9fa9b479eba883e.exe
"C:\Users\Admin\AppData\Local\Temp\985ab6fef66d93eda9fa9b479eba883e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\985ab6fef66d93eda9fa9b479eba883e.exe
  C:\Users\Admin\AppData\Local\Temp\985ab6fef66d93eda9fa9b479eba883e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\985ab6fef66d93eda9fa9b479eba883e.exe

Filesize
907KB

MD5
4e5daa8ed37eebc57e76c0ccfc46b6f9

SHA1
dc0a5bd67df3c7a3b83234fc294d0ab321ffdde5

SHA256
78e5a99d6e20fd34b8acfad996ec8e45d546f39b1fea4ac5a4ba6fe77023dcf8

SHA512
f2fe7242468db7ef8ee81ad838b5d12755b355b5861e619e9289c9f82b1e234c83c2bf24c17277cc79864345747b1b5d7359b8c9dc632cd92b3551184d9fcb1e

Download Submit
memory/468-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/468-1-0x0000000001800000-0x00000000018E8000-memory.dmp

Filesize
928KB

Download
memory/468-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/468-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3328-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3328-15-0x0000000001700000-0x00000000017E8000-memory.dmp

Filesize
928KB

Download
memory/3328-20-0x0000000005080000-0x000000000513B000-memory.dmp

Filesize
748KB

Download
memory/3328-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3328-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-36-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download