6fc154355530ed687cc55ceb0790ced73b8e35c7e8c2948f27bbbf686c5fcbca

Analysis

max time kernel
92s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae23bf8c39c52f21f698f0b24d94bd6f.exe
Size

385KB
MD5

ae23bf8c39c52f21f698f0b24d94bd6f
SHA1

1880e08e49cd0b2076f5835d7f82902d6c8f0726
SHA256

6fc154355530ed687cc55ceb0790ced73b8e35c7e8c2948f27bbbf686c5fcbca
SHA512

7e58ad4e140839bbd1d4ce30a5cc17e934dea0a64f2a7d75de0061721f73de68a6d5f49a3fcb586d9bd26c95b21ab68013d3692cff114ef1ac9638eed8297aeb
SSDEEP

12288:SlOUAj3pR2HUunv1gBdXuXe1vxI6EgvkB:SlO3WHUunC+wve6EdB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1616	ae23bf8c39c52f21f698f0b24d94bd6f.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	ae23bf8c39c52f21f698f0b24d94bd6f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
6	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
452	ae23bf8c39c52f21f698f0b24d94bd6f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
452	ae23bf8c39c52f21f698f0b24d94bd6f.exe
1616	ae23bf8c39c52f21f698f0b24d94bd6f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 1616	452	ae23bf8c39c52f21f698f0b24d94bd6f.exe	89
PID 452 wrote to memory of 1616	452	ae23bf8c39c52f21f698f0b24d94bd6f.exe	89
PID 452 wrote to memory of 1616	452	ae23bf8c39c52f21f698f0b24d94bd6f.exe	89

C:\Users\Admin\AppData\Local\Temp\ae23bf8c39c52f21f698f0b24d94bd6f.exe
"C:\Users\Admin\AppData\Local\Temp\ae23bf8c39c52f21f698f0b24d94bd6f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\ae23bf8c39c52f21f698f0b24d94bd6f.exe
  C:\Users\Admin\AppData\Local\Temp\ae23bf8c39c52f21f698f0b24d94bd6f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae23bf8c39c52f21f698f0b24d94bd6f.exe

Filesize
385KB

MD5
18defd18874e37237f412d49e7a65e50

SHA1
e8db6e1c68eb0e3c2b610756cb07e943115578d8

SHA256
29dd45e05e465574f8684d03faac734a8cc7422c157ba8ecf0e29d35d434e234

SHA512
f9fd0da20b68601fcd44e6e7b81f7a6a88ee2befdeb5a61181bbea1cb855c3ce1a55441f50d4751453febecaaf8cfc5aef1c86ad05ae1f5b410b6202c254a34d

Download Submit
memory/452-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/452-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/452-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/452-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1616-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1616-16-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/1616-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-22-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/1616-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1616-37-0x000000000B610000-0x000000000B64C000-memory.dmp

Filesize
240KB

Download
memory/1616-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download