b49f5ab20ed62954cee07c1a21b5f04b482becf1d7fad124a26ecc523da4490c

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5fac17dfc00e5e1bb1549b7f8ad9e11.exe
Size

385KB
MD5

b5fac17dfc00e5e1bb1549b7f8ad9e11
SHA1

b615207047889306e8bce2ad98af924390762c87
SHA256

b49f5ab20ed62954cee07c1a21b5f04b482becf1d7fad124a26ecc523da4490c
SHA512

2d548299f91aa5a26cea5ba94759e483d06a4ef490bc5931e87591beb9483903d01b2125e33f8149dce3d957d6d18d4b78964f803c067a10f4561c9396fd955d
SSDEEP

6144:u9X2ghurkRsgYJcTRbaUxdE+A4IMy3aAMRbBDfTK9tyXph+WvoEdSB:u9X2ghJFNE+tdY/4DfTK9sppvH0B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4192	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe

Executes dropped EXE 1 IoCs

pid	Process
4192	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1228	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1228	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe
4192	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4192	1228	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe	90
PID 1228 wrote to memory of 4192	1228	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe	90
PID 1228 wrote to memory of 4192	1228	b5fac17dfc00e5e1bb1549b7f8ad9e11.exe	90

C:\Users\Admin\AppData\Local\Temp\b5fac17dfc00e5e1bb1549b7f8ad9e11.exe
"C:\Users\Admin\AppData\Local\Temp\b5fac17dfc00e5e1bb1549b7f8ad9e11.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\b5fac17dfc00e5e1bb1549b7f8ad9e11.exe
  C:\Users\Admin\AppData\Local\Temp\b5fac17dfc00e5e1bb1549b7f8ad9e11.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b5fac17dfc00e5e1bb1549b7f8ad9e11.exe

Filesize
385KB

MD5
2aff6841c0fa883f802b6e97652e2858

SHA1
573a224b6462d9ff40d0393979423c1d9a4e7eb1

SHA256
801bf1ebea09a5a73e200308f31bf4736fcf1605a8778b169b1747000f1f0b76

SHA512
746185efd4616111f3967570fa34487ef3489b7c6ded94d2edc860a806bb3936eea1fdc545099c84af5d93d76b44cd22e5f7a7999ef249c982b3c881d4d58b65

Download Submit
memory/1228-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1228-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1228-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1228-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4192-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4192-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4192-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4192-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4192-32-0x000000000B610000-0x000000000B64C000-memory.dmp

Filesize
240KB

Download
memory/4192-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download