64ac35b287ec0f37d0f69e3949a2f08d181252d14fa308fc58f40723a3fb3fce

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f57d122f953b207651a5bdfef0dc38.exe
Size

385KB
MD5

b4f57d122f953b207651a5bdfef0dc38
SHA1

960f45884f9192b4e215d1122ef056bc42b938ed
SHA256

64ac35b287ec0f37d0f69e3949a2f08d181252d14fa308fc58f40723a3fb3fce
SHA512

12caa5bd6f804be2d204240c5ed569ed176ea8cf8a775623bf4d62767c0dd1112653557b7f15959e68a23af3e3799585a99a023ed57229012c523cd767647fac
SSDEEP

6144:YayAvLV6cqPhtkpenvQSHav4F+PQjHD793+Ywph3kmPAs1dX3WCdN+Q2RyZomBLg:/LkcCkpiQhm3jj70YwpGmosEW7BOB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4024	b4f57d122f953b207651a5bdfef0dc38.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	b4f57d122f953b207651a5bdfef0dc38.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3528	b4f57d122f953b207651a5bdfef0dc38.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3528	b4f57d122f953b207651a5bdfef0dc38.exe
4024	b4f57d122f953b207651a5bdfef0dc38.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4024	3528	b4f57d122f953b207651a5bdfef0dc38.exe	89
PID 3528 wrote to memory of 4024	3528	b4f57d122f953b207651a5bdfef0dc38.exe	89
PID 3528 wrote to memory of 4024	3528	b4f57d122f953b207651a5bdfef0dc38.exe	89

C:\Users\Admin\AppData\Local\Temp\b4f57d122f953b207651a5bdfef0dc38.exe
"C:\Users\Admin\AppData\Local\Temp\b4f57d122f953b207651a5bdfef0dc38.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\b4f57d122f953b207651a5bdfef0dc38.exe
  C:\Users\Admin\AppData\Local\Temp\b4f57d122f953b207651a5bdfef0dc38.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b4f57d122f953b207651a5bdfef0dc38.exe

Filesize
385KB

MD5
4fc5794c8a2399a47d31e5f3c16a2fab

SHA1
bdc979ac513ff4e95f4417f3f877ceca3b02a7eb

SHA256
3a3a5224b172ba5f94c73ddf23b96c7fe8251f4eed88e2d00ed57d487644edb4

SHA512
fb0b792916f20038677cb190e97f938fdb9e3fd5b71cd24240ca7f2783f968221a21697f8d58caf6b98e5cdce070f2eb61032e93c28ad90e41891adfe7209675

Download Submit
memory/3528-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3528-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3528-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3528-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4024-17-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/4024-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4024-21-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/4024-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4024-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4024-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4024-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download