62b4dde3e77e5fbf9ecf4d9196b8081aa5fb8a13669580982b77511c6799d2c0

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a7fac172a3d548aaefeda54621da813.exe
Size

385KB
MD5

9a7fac172a3d548aaefeda54621da813
SHA1

d95f7950e8da5b4da66dcfb6e703754356a82a8d
SHA256

62b4dde3e77e5fbf9ecf4d9196b8081aa5fb8a13669580982b77511c6799d2c0
SHA512

ba338b978198576046c513909c71baf868832c832827631b9d4e8800d05b25c463cd6ada2ec26d65e2a296ebf124f75e55e1c98e3d98ed792b634c5c0c45299f
SSDEEP

6144:D14xTWd0S2OpSPlBiLRNZaEoW9wAEtIQo4iMFTRUuwoUQqf+HjQ8uqr4sK68ND+P:DR0SFpSnEfHrOF6CQ8u1vSivpTS+gHB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4892	9a7fac172a3d548aaefeda54621da813.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	9a7fac172a3d548aaefeda54621da813.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1300	9a7fac172a3d548aaefeda54621da813.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1300	9a7fac172a3d548aaefeda54621da813.exe
4892	9a7fac172a3d548aaefeda54621da813.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4892	1300	9a7fac172a3d548aaefeda54621da813.exe	87
PID 1300 wrote to memory of 4892	1300	9a7fac172a3d548aaefeda54621da813.exe	87
PID 1300 wrote to memory of 4892	1300	9a7fac172a3d548aaefeda54621da813.exe	87

C:\Users\Admin\AppData\Local\Temp\9a7fac172a3d548aaefeda54621da813.exe
"C:\Users\Admin\AppData\Local\Temp\9a7fac172a3d548aaefeda54621da813.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\9a7fac172a3d548aaefeda54621da813.exe
  C:\Users\Admin\AppData\Local\Temp\9a7fac172a3d548aaefeda54621da813.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a7fac172a3d548aaefeda54621da813.exe

Filesize
385KB

MD5
1cc9580104532cb6415a7fe51734da3a

SHA1
50e21d57a4e043844f4b46ba7365c8e7eb7ba8d5

SHA256
8d6604bd05b8d6f0505c8fbc1e719da0aec33cd15160c2956131c5b05b7b5f35

SHA512
45979d581e0b12c96d78235009588e0d8c2e608a90d63f4ca6e1327dfd50f95eb705cf9bdba079cfd9baed27b5da9bc85a732a73ad56d3e04212cc700ce8705b

Download Submit
memory/1300-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1300-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1300-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1300-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4892-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4892-15-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4892-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/4892-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4892-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4892-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download