2831c2d0d45e247af09545f3fd44ea29dc7599d4cec272097f0d1ffd27d959e8

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c3d3fd4ef0994f3d39e8f4889e90ab.exe
Size

907KB
MD5

a2c3d3fd4ef0994f3d39e8f4889e90ab
SHA1

972c39ce0d7d134fe51301409a31224d8c4a1f92
SHA256

2831c2d0d45e247af09545f3fd44ea29dc7599d4cec272097f0d1ffd27d959e8
SHA512

555445de39bdf3882f6cc2c4618e4e32d1ea753e5053027915cbfa70a27f0140fb8acdaf2a8f6051e100d6f54576e1acdf4cbfad386ee8c84dd54ff2ac90ad6b
SSDEEP

12288:39TqD5cE9eyigKWAe+5BkogcJTLUQ/mDq4BNRxmo2kzjVDa/ZS1:82ytKln+anUQX4HRwtwa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3172	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe

Executes dropped EXE 1 IoCs

pid	Process
3172	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
13	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5084	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5084	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe
3172	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3172	5084	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe	87
PID 5084 wrote to memory of 3172	5084	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe	87
PID 5084 wrote to memory of 3172	5084	a2c3d3fd4ef0994f3d39e8f4889e90ab.exe	87

C:\Users\Admin\AppData\Local\Temp\a2c3d3fd4ef0994f3d39e8f4889e90ab.exe
"C:\Users\Admin\AppData\Local\Temp\a2c3d3fd4ef0994f3d39e8f4889e90ab.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\a2c3d3fd4ef0994f3d39e8f4889e90ab.exe
  C:\Users\Admin\AppData\Local\Temp\a2c3d3fd4ef0994f3d39e8f4889e90ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2c3d3fd4ef0994f3d39e8f4889e90ab.exe

Filesize
907KB

MD5
d2699ef052785893146b26fa624724fb

SHA1
8c55c385d60da0033eb14047e8d20ff8f3262692

SHA256
dc2c8c728d541040604698ebca047d306b5ddf490fad1ce885f0e359e6ce6749

SHA512
f33bce007558be07a2fefd10b6da772898fa324e23295f0b95799f0455d596c6d814a4191d28dc8751c603fc08e88c40f0aa57f9e2edfd0d0a1361e95fea7bbd

Download Submit
memory/3172-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3172-15-0x0000000001630000-0x0000000001718000-memory.dmp

Filesize
928KB

Download
memory/3172-20-0x0000000005060000-0x000000000511B000-memory.dmp

Filesize
748KB

Download
memory/3172-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3172-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-35-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download
memory/5084-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5084-1-0x00000000017D0000-0x00000000018B8000-memory.dmp

Filesize
928KB

Download
memory/5084-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5084-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download