ff6a4ba558edda40d227e369581a930cd4833270974e4782de885ba6b5bb9866

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9945f81f2ef987c5907053aa4fcf9669.exe
Size

385KB
MD5

9945f81f2ef987c5907053aa4fcf9669
SHA1

24ea674b104abf8184b18e01dedbb3addc6ca712
SHA256

ff6a4ba558edda40d227e369581a930cd4833270974e4782de885ba6b5bb9866
SHA512

313a6026c68aac52ab8d0c670339beea26a3649071d8b7fd141e6d85eac62cbe6000f35160061bfa670d6f04f9df1193bde3740b29ee797a71d52f29181713d9
SSDEEP

6144:yB9KkLryKVtXQ0n78D06ttVb0Ud2JPSJt7qHSdVumQ3oEznErFIWoqVIH2z18PB:yzeKVtg0n7e0wtNjNQ46nEr5Vs2zeB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4716	9945f81f2ef987c5907053aa4fcf9669.exe

Executes dropped EXE 1 IoCs

pid	Process
4716	9945f81f2ef987c5907053aa4fcf9669.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
884	9945f81f2ef987c5907053aa4fcf9669.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
884	9945f81f2ef987c5907053aa4fcf9669.exe
4716	9945f81f2ef987c5907053aa4fcf9669.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4716	884	9945f81f2ef987c5907053aa4fcf9669.exe	83
PID 884 wrote to memory of 4716	884	9945f81f2ef987c5907053aa4fcf9669.exe	83
PID 884 wrote to memory of 4716	884	9945f81f2ef987c5907053aa4fcf9669.exe	83

C:\Users\Admin\AppData\Local\Temp\9945f81f2ef987c5907053aa4fcf9669.exe
"C:\Users\Admin\AppData\Local\Temp\9945f81f2ef987c5907053aa4fcf9669.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\9945f81f2ef987c5907053aa4fcf9669.exe
  C:\Users\Admin\AppData\Local\Temp\9945f81f2ef987c5907053aa4fcf9669.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9945f81f2ef987c5907053aa4fcf9669.exe

Filesize
385KB

MD5
112eaaf9c14c3d3566b9e9ccf01cc4b6

SHA1
0b53fb384d0e3063680d8763ff97906d9df4a39d

SHA256
267524d97c8db37cc740a4240b10fc939fe931c89bf743e258bacbb9a1834cac

SHA512
fa6e07e38a467ade2265503163e698c16a4e7f2a0c71d588db7e31fa2d09d75e4285f311cbc5425d5bb74ba318121959eb59b5ba7f6203de39ed0e0d380e0d11

Download Submit
memory/884-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/884-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/884-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/884-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4716-14-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/4716-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4716-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4716-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4716-33-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4716-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download