24161fe558d866ec5f8bd19d9675df92a32b271abe800e5e2c5d41b9e9430afa

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 05:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab276c42912c67b2dfa0afbae4eed89e.exe
Size

907KB
MD5

ab276c42912c67b2dfa0afbae4eed89e
SHA1

727b18456926677117d5f8ea82cbaae8f38c9c18
SHA256

24161fe558d866ec5f8bd19d9675df92a32b271abe800e5e2c5d41b9e9430afa
SHA512

799d6dfa55dfbc75ddc13ee87d7de2cc283e1937bc7f10f60d8dcea8cbdcd43c1cb93fa752640164f9cd76e171040612b6201421f3f7c97facb9bf6d8117c9e5
SSDEEP

24576:Q9htfaRgzoxyDhfJTNCNqN5jXABea/ZS1:4fdoiRUCRXABegS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	ab276c42912c67b2dfa0afbae4eed89e.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	ab276c42912c67b2dfa0afbae4eed89e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
888	ab276c42912c67b2dfa0afbae4eed89e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
888	ab276c42912c67b2dfa0afbae4eed89e.exe
3020	ab276c42912c67b2dfa0afbae4eed89e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 3020	888	ab276c42912c67b2dfa0afbae4eed89e.exe	88
PID 888 wrote to memory of 3020	888	ab276c42912c67b2dfa0afbae4eed89e.exe	88
PID 888 wrote to memory of 3020	888	ab276c42912c67b2dfa0afbae4eed89e.exe	88

C:\Users\Admin\AppData\Local\Temp\ab276c42912c67b2dfa0afbae4eed89e.exe
"C:\Users\Admin\AppData\Local\Temp\ab276c42912c67b2dfa0afbae4eed89e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\ab276c42912c67b2dfa0afbae4eed89e.exe
  C:\Users\Admin\AppData\Local\Temp\ab276c42912c67b2dfa0afbae4eed89e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ab276c42912c67b2dfa0afbae4eed89e.exe

Filesize
907KB

MD5
0e2d342956c42ce845a25ca0180a729d

SHA1
23866870876362811df405b1dedb98bab15245f1

SHA256
8e3b6e163d38daf833c5258c6174d4096387085bc94252d662c72519b37bca95

SHA512
65b6a24448a49d354a091055841d32a8b9a5a2b2ba06c70b4f26b2935a49509163eb65f00e7308fa7eee8a3a82a08581ec174ad9c10ae076f70c0430fe9a42aa

Download Submit
memory/888-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/888-1-0x00000000017B0000-0x0000000001898000-memory.dmp

Filesize
928KB

Download
memory/888-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/888-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3020-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3020-14-0x00000000016B0000-0x0000000001798000-memory.dmp

Filesize
928KB

Download
memory/3020-20-0x00000000050F0000-0x00000000051AB000-memory.dmp

Filesize
748KB

Download
memory/3020-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3020-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3020-36-0x000000000B7F0000-0x000000000B888000-memory.dmp

Filesize
608KB

Download