2568a1d3c40aa2e0157895e46e6208f55df230e57ec45005bca18ac06165eeec

Analysis

max time kernel
92s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a19f0c1203aef7eb654b48345fc3a2.exe
Size

385KB
MD5

a1a19f0c1203aef7eb654b48345fc3a2
SHA1

28cd839d07d80cced35f7d482f30d0f04ab05112
SHA256

2568a1d3c40aa2e0157895e46e6208f55df230e57ec45005bca18ac06165eeec
SHA512

48b1fe2894175a37fbb6c86703d09b2594648870cc99443a7c8f11dca60eb323867d32b95097d9da64c34370dc329b7b89f9442ac5d37b7fda9555ee252fc17b
SSDEEP

6144:3kWEWNkcxxBP7V7G6H4UFi8xYw9811tBANXujEGTFJlUTYB:HEyNxBjVq6H9Hxz981BEC/luYB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
316	a1a19f0c1203aef7eb654b48345fc3a2.exe

Executes dropped EXE 1 IoCs

pid	Process
316	a1a19f0c1203aef7eb654b48345fc3a2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3372	a1a19f0c1203aef7eb654b48345fc3a2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3372	a1a19f0c1203aef7eb654b48345fc3a2.exe
316	a1a19f0c1203aef7eb654b48345fc3a2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 316	3372	a1a19f0c1203aef7eb654b48345fc3a2.exe	87
PID 3372 wrote to memory of 316	3372	a1a19f0c1203aef7eb654b48345fc3a2.exe	87
PID 3372 wrote to memory of 316	3372	a1a19f0c1203aef7eb654b48345fc3a2.exe	87

C:\Users\Admin\AppData\Local\Temp\a1a19f0c1203aef7eb654b48345fc3a2.exe
"C:\Users\Admin\AppData\Local\Temp\a1a19f0c1203aef7eb654b48345fc3a2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\a1a19f0c1203aef7eb654b48345fc3a2.exe
  C:\Users\Admin\AppData\Local\Temp\a1a19f0c1203aef7eb654b48345fc3a2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1a19f0c1203aef7eb654b48345fc3a2.exe

Filesize
385KB

MD5
39f68f2764eaca8306864865c5ab7ec1

SHA1
dd23e25bd5fc357c44bdb8ffcae6f7b383231e3a

SHA256
401e222bd9b2b2c051e1f81e5c52a9c886f13d377f6fe1611f106e170e309663

SHA512
2141692096a71c0431f682d3b0806096ecab8bafd1298bf24f33248c40af2259a841766c9f1c3f3e6dc4cfb4ae276e1d8a93adfedd0c875fc2f85bed80fb117c

Download Submit
memory/316-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/316-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/316-20-0x00000000015D0000-0x000000000162F000-memory.dmp

Filesize
380KB

Download
memory/316-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/316-34-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/316-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3372-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3372-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/3372-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3372-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download