fcb0d458029b669e018a251b80256ea0cbd7ad76de96af0d6c52cb867adccbc8

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 20:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

acd6afeee18e2a7f5b6b71d3ec50b4dc.exe
Size

1.5MB
MD5

acd6afeee18e2a7f5b6b71d3ec50b4dc
SHA1

35aec3116d75078ca1ea7ab7518596f4f9481fed
SHA256

fcb0d458029b669e018a251b80256ea0cbd7ad76de96af0d6c52cb867adccbc8
SHA512

42546ceeb29235e5c28707dde4b6b7430216c7e91dcc828addca422f34dc90d1aa6830969a09bf4a47a6b8bb2c2de770f9650468beb262a1a777207e197a7120
SSDEEP

24576:3c4kKpN2dnSob10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FBBT:sc6dnF/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1428	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe

Executes dropped EXE 1 IoCs

pid	Process
1428	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
22	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4676	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4676	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe
1428	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1428	4676	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe	89
PID 4676 wrote to memory of 1428	4676	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe	89
PID 4676 wrote to memory of 1428	4676	acd6afeee18e2a7f5b6b71d3ec50b4dc.exe	89

C:\Users\Admin\AppData\Local\Temp\acd6afeee18e2a7f5b6b71d3ec50b4dc.exe
"C:\Users\Admin\AppData\Local\Temp\acd6afeee18e2a7f5b6b71d3ec50b4dc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\acd6afeee18e2a7f5b6b71d3ec50b4dc.exe
  C:\Users\Admin\AppData\Local\Temp\acd6afeee18e2a7f5b6b71d3ec50b4dc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acd6afeee18e2a7f5b6b71d3ec50b4dc.exe

Filesize
1.5MB

MD5
4d55a9b5defac75446a1475ff4e6d7ba

SHA1
bdec12f71f9dc6c71ec07b15ce4e8ca89e70075b

SHA256
c795930dcf307720fe2edec1340aff7b8066efcb705f132c7a9b13c9aadcb8ef

SHA512
caf29f2abefdbed08bed402278389156c5075eb6eac3312260ab028d73e217a6b697332ee5cc80588ea984cd687225fb385ce17a865ea0f495c957cd40c23ce4

Download Submit
memory/1428-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1428-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1428-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1428-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1428-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1428-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1428-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4676-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4676-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/4676-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4676-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download