f0fca575c4c81ba505a18cbc8053618129452197f6dec45acad2e68a6d03fe99

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f0556b6431a39b84ac1ae70a632f6f.exe
Size

907KB
MD5

b5f0556b6431a39b84ac1ae70a632f6f
SHA1

dd8af60037af8046319d9f38344c22c0a7eea223
SHA256

f0fca575c4c81ba505a18cbc8053618129452197f6dec45acad2e68a6d03fe99
SHA512

9a7d3ded3b3d6c1f5b2df845693879462681ba72414352731f08d4675d5482692b1861b31273d62c997dc5d087978525248eba62d37e045da5c535f8254af411
SSDEEP

24576:mKErA+ZUioNk3LA0yGevNEP9VA7NZa/ZS1:mvA+HgKMSevN0A3gS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	b5f0556b6431a39b84ac1ae70a632f6f.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	b5f0556b6431a39b84ac1ae70a632f6f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1876	b5f0556b6431a39b84ac1ae70a632f6f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1876	b5f0556b6431a39b84ac1ae70a632f6f.exe
2052	b5f0556b6431a39b84ac1ae70a632f6f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2052	1876	b5f0556b6431a39b84ac1ae70a632f6f.exe	90
PID 1876 wrote to memory of 2052	1876	b5f0556b6431a39b84ac1ae70a632f6f.exe	90
PID 1876 wrote to memory of 2052	1876	b5f0556b6431a39b84ac1ae70a632f6f.exe	90

C:\Users\Admin\AppData\Local\Temp\b5f0556b6431a39b84ac1ae70a632f6f.exe
"C:\Users\Admin\AppData\Local\Temp\b5f0556b6431a39b84ac1ae70a632f6f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\b5f0556b6431a39b84ac1ae70a632f6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5f0556b6431a39b84ac1ae70a632f6f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b5f0556b6431a39b84ac1ae70a632f6f.exe

Filesize
907KB

MD5
315b2db121193a29927ff7ce0be49f02

SHA1
f58b581bfda92b3d13d096ad0462eb344393352a

SHA256
05c7a22e43f7bc3621e5fdd1e15286066b226ab1f26026d6d57bc935498f7af7

SHA512
652aad0c92be31f47f44da476cf10681a5fca19f00304a7db8227a61cd78e3b3648faee640957d37a71fbe906e967f6f846edda11f9c149d096e58b1a231537c

Download Submit
memory/1876-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1876-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/1876-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1876-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2052-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2052-14-0x0000000001630000-0x0000000001718000-memory.dmp

Filesize
928KB

Download
memory/2052-20-0x0000000005090000-0x000000000514B000-memory.dmp

Filesize
748KB

Download
memory/2052-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2052-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download