83098fcbfb62aa6786a98ce1c6258a54cf9d23ab804f69f9a6f47f6649c0dd7c

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac43fb871e14717097ca8615aac140eb.exe
Size

385KB
MD5

ac43fb871e14717097ca8615aac140eb
SHA1

2273a15b64df232812686595546f440223671fb4
SHA256

83098fcbfb62aa6786a98ce1c6258a54cf9d23ab804f69f9a6f47f6649c0dd7c
SHA512

d14d5873f127c4d974536112243a4aa84c0ab31eeb4310b1a778801820e455c366e10adade18630fa386499333e26acb0212424551bda68d436aa5150df22f5c
SSDEEP

6144:28qaxhMzeR2p1BYjGnDMBs00NRSalXe12tNNAXIjmgftTLb/xUyi97hB:28JIqR2iGnDyaJX22X7mgx3/YhB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1012	ac43fb871e14717097ca8615aac140eb.exe

Executes dropped EXE 1 IoCs

pid	Process
1012	ac43fb871e14717097ca8615aac140eb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3516	ac43fb871e14717097ca8615aac140eb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3516	ac43fb871e14717097ca8615aac140eb.exe
1012	ac43fb871e14717097ca8615aac140eb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1012	3516	ac43fb871e14717097ca8615aac140eb.exe	88
PID 3516 wrote to memory of 1012	3516	ac43fb871e14717097ca8615aac140eb.exe	88
PID 3516 wrote to memory of 1012	3516	ac43fb871e14717097ca8615aac140eb.exe	88

C:\Users\Admin\AppData\Local\Temp\ac43fb871e14717097ca8615aac140eb.exe
"C:\Users\Admin\AppData\Local\Temp\ac43fb871e14717097ca8615aac140eb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\ac43fb871e14717097ca8615aac140eb.exe
  C:\Users\Admin\AppData\Local\Temp\ac43fb871e14717097ca8615aac140eb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac43fb871e14717097ca8615aac140eb.exe

Filesize
385KB

MD5
3ce88d8dea75c13611b4a50f7bb73fd4

SHA1
157b233d6a2a3d63aba69bd6ea3d4de8bf231fc8

SHA256
08b8585800b9e019216750ec75ed864ddb02f6e477300e8f57e022f8de7a40ab

SHA512
cd19089ee2edac241ae7e0edad73baebdcdad3be3e095db303ece8e604cbe2d09c4c5d3d47b91f29af50860d953795a7d1dc57542707631237f4adbd46c21e78

Download Submit
memory/1012-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1012-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1012-21-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/1012-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1012-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1012-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1012-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3516-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3516-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3516-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3516-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download