575b013aaa2cebfb1ab29b07a36cf5da9fb9ba5299a55743775c9e1858d13c8b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 02:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aac04427b3d4d7afa43ca7e627bf61d4.exe
Size

385KB
MD5

aac04427b3d4d7afa43ca7e627bf61d4
SHA1

f556e6c70259454812fc4dc1a362c71087593447
SHA256

575b013aaa2cebfb1ab29b07a36cf5da9fb9ba5299a55743775c9e1858d13c8b
SHA512

3332d8e103a83f398e8e079e44672829f75d56abe7dcb2ff8a4e5d88662f852342c95a8a00e45e88985d451720107e07f208884e8d02a323935acf77387fb08e
SSDEEP

6144:GoNQL+gB+Kp/oj3nED6VYEZvrfj+I9bZaWDDTelUYCgiWyLejiB:/QLVBF/ogWVYEJr79bZaAiaTWggiB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
452	aac04427b3d4d7afa43ca7e627bf61d4.exe

Executes dropped EXE 1 IoCs

pid	Process
452	aac04427b3d4d7afa43ca7e627bf61d4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4164	aac04427b3d4d7afa43ca7e627bf61d4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4164	aac04427b3d4d7afa43ca7e627bf61d4.exe
452	aac04427b3d4d7afa43ca7e627bf61d4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 452	4164	aac04427b3d4d7afa43ca7e627bf61d4.exe	88
PID 4164 wrote to memory of 452	4164	aac04427b3d4d7afa43ca7e627bf61d4.exe	88
PID 4164 wrote to memory of 452	4164	aac04427b3d4d7afa43ca7e627bf61d4.exe	88

C:\Users\Admin\AppData\Local\Temp\aac04427b3d4d7afa43ca7e627bf61d4.exe
"C:\Users\Admin\AppData\Local\Temp\aac04427b3d4d7afa43ca7e627bf61d4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\aac04427b3d4d7afa43ca7e627bf61d4.exe
  C:\Users\Admin\AppData\Local\Temp\aac04427b3d4d7afa43ca7e627bf61d4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aac04427b3d4d7afa43ca7e627bf61d4.exe

Filesize
385KB

MD5
fd226169a337417b70c877858dfc5816

SHA1
d2519bc96b7acb56bd3c52bec04fdb2705cd8759

SHA256
7e85a0a6ab65d7c05009a9fb866d5b070733a96ce3fac231b32823e4fbe6fc81

SHA512
d6b9bb9409a77d464801761f5d25deb93d86cf278a251999cb683a36c3a1888bb1137c624a198f3a75c7646327b328ae01530f3bcadf2c1a6cbe96f08fce4046

Download Submit
memory/452-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/452-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/452-17-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/452-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-22-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/452-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/452-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/452-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4164-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4164-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4164-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4164-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download