bd29ce05091222bbf4c9e5df9aa36b8cce0082913ca8b34dbddea601a2a8dcfa

Analysis

max time kernel
94s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30f93a12081bb2fde8f36005d3cc6fb.exe
Size

907KB
MD5

a30f93a12081bb2fde8f36005d3cc6fb
SHA1

51241e31efaaf084ec142c10c60e224c3cb1fdd9
SHA256

bd29ce05091222bbf4c9e5df9aa36b8cce0082913ca8b34dbddea601a2a8dcfa
SHA512

1f5d76ee9e73bd6cc425d325c3e82b0a76e67949e4bc2331f421e799ce6d80b342ea7c15a2fecb4ab0031a95fd6c581419a0994ae07f8f4239909b69c0ddf45a
SSDEEP

12288:Fz8k5sniS0LCCmUcPfuMiTPVwkmfiBUYlcG2Bw5HT8UUDh0jVDa/ZS1:F5520WCO+FzYfMJpz8hDca/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1828	a30f93a12081bb2fde8f36005d3cc6fb.exe

Executes dropped EXE 1 IoCs

pid	Process
1828	a30f93a12081bb2fde8f36005d3cc6fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4936	a30f93a12081bb2fde8f36005d3cc6fb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4936	a30f93a12081bb2fde8f36005d3cc6fb.exe
1828	a30f93a12081bb2fde8f36005d3cc6fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1828	4936	a30f93a12081bb2fde8f36005d3cc6fb.exe	89
PID 4936 wrote to memory of 1828	4936	a30f93a12081bb2fde8f36005d3cc6fb.exe	89
PID 4936 wrote to memory of 1828	4936	a30f93a12081bb2fde8f36005d3cc6fb.exe	89

C:\Users\Admin\AppData\Local\Temp\a30f93a12081bb2fde8f36005d3cc6fb.exe
"C:\Users\Admin\AppData\Local\Temp\a30f93a12081bb2fde8f36005d3cc6fb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\a30f93a12081bb2fde8f36005d3cc6fb.exe
  C:\Users\Admin\AppData\Local\Temp\a30f93a12081bb2fde8f36005d3cc6fb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a30f93a12081bb2fde8f36005d3cc6fb.exe

Filesize
907KB

MD5
8527dc584bb4aeb42c8e7b34f8b150f1

SHA1
1ca6daf3073d0be0d623a4210cc2e465d00d09ba

SHA256
2dd0518241b831c7137eca7a00578827f4426f68d058a0ffc2fe11ade8b7d209

SHA512
db147ce3f5529bdbe82e330e381065674f73b6e225e44db14ee81d25e62a5d160709fc2d279a01f0d446a80ac04461bfe94fc2106806a2ce74a762fdb1d3d8ac

Download Submit
memory/1828-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1828-16-0x0000000001680000-0x0000000001768000-memory.dmp

Filesize
928KB

Download
memory/1828-20-0x0000000005110000-0x00000000051CB000-memory.dmp

Filesize
748KB

Download
memory/1828-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1828-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-35-0x000000000D850000-0x000000000D8E8000-memory.dmp

Filesize
608KB

Download
memory/4936-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4936-1-0x00000000016F0000-0x00000000017D8000-memory.dmp

Filesize
928KB

Download
memory/4936-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4936-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download