e758f4b23383e42522268d783df9214b38db5ecc5e8b3e23c409310798a35dad

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c26884b233b5396f1596f847cc7a9a.exe
Size

907KB
MD5

98c26884b233b5396f1596f847cc7a9a
SHA1

6a6b7fad9203f8f3f6c41631d786b599fdcdc339
SHA256

e758f4b23383e42522268d783df9214b38db5ecc5e8b3e23c409310798a35dad
SHA512

0b4ff21ab522e0a4b9579b9894eb1c33d14a18c26731f92631aefd0551ae71af26b03d848dc28a22eac94a51e26baf9a05aa9bbd354a7f2952990d5d7df141d5
SSDEEP

12288:BKwpN9EGSga1kfYAmFiHLLKNFU4s9WQAZn6trXbOnueIZVA6dnT6ymjEjVDa/ZS1:gQuga17HMPKfrQI6+uep2Fa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4556	98c26884b233b5396f1596f847cc7a9a.exe

Executes dropped EXE 1 IoCs

pid	Process
4556	98c26884b233b5396f1596f847cc7a9a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4552	98c26884b233b5396f1596f847cc7a9a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4552	98c26884b233b5396f1596f847cc7a9a.exe
4556	98c26884b233b5396f1596f847cc7a9a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4556	4552	98c26884b233b5396f1596f847cc7a9a.exe	85
PID 4552 wrote to memory of 4556	4552	98c26884b233b5396f1596f847cc7a9a.exe	85
PID 4552 wrote to memory of 4556	4552	98c26884b233b5396f1596f847cc7a9a.exe	85

C:\Users\Admin\AppData\Local\Temp\98c26884b233b5396f1596f847cc7a9a.exe
"C:\Users\Admin\AppData\Local\Temp\98c26884b233b5396f1596f847cc7a9a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\98c26884b233b5396f1596f847cc7a9a.exe
  C:\Users\Admin\AppData\Local\Temp\98c26884b233b5396f1596f847cc7a9a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98c26884b233b5396f1596f847cc7a9a.exe

Filesize
907KB

MD5
223ebe75f0cae5b4de88e773a9364d33

SHA1
6cb9dd06e0c1a8c46be123b598a1d45f976a04ea

SHA256
6b2cc4a74fe2b5bbc5fd4d5a2f5cceec975705db07b0e1b12b6eebb572593266

SHA512
98553ee35f891408d28afa1b137c65986317b37a82d4d4761dfee69833c63bb6b9428c57b4b25e67125a309a943230f4217729e88f68ea715b7c368e31070be5

Download Submit
memory/4552-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4552-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/4552-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4552-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4556-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4556-14-0x0000000001650000-0x0000000001738000-memory.dmp

Filesize
928KB

Download
memory/4556-20-0x0000000005240000-0x00000000052FB000-memory.dmp

Filesize
748KB

Download
memory/4556-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4556-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download