d7ae027e598bca15df8b302d0e804b0ae77c8caa96cafe6a0acd48f6fc78f5ba

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63abacd4e2d5445b053abcd64a39ef9.exe
Size

385KB
MD5

b63abacd4e2d5445b053abcd64a39ef9
SHA1

a9e1ab864ea58838c1a14fb3474a1d77ee7f7ad5
SHA256

d7ae027e598bca15df8b302d0e804b0ae77c8caa96cafe6a0acd48f6fc78f5ba
SHA512

3916e44f8fa39e78061eb14159791eca1f72dd8d02a3491f78458bc3dd10fe375ce5dbdf121fab403d651c243f03a4369c2bffc95a6306638bb4b580edb603ec
SSDEEP

6144:0Z6keB9MpsaBQD6vC6dfXXuW+FZykmud5/tou+a8dou/aBp4uUZ3B:0eB9MQDoC6dfHoFZj1pESBah5B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3896	b63abacd4e2d5445b053abcd64a39ef9.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	b63abacd4e2d5445b053abcd64a39ef9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3444	b63abacd4e2d5445b053abcd64a39ef9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3444	b63abacd4e2d5445b053abcd64a39ef9.exe
3896	b63abacd4e2d5445b053abcd64a39ef9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3896	3444	b63abacd4e2d5445b053abcd64a39ef9.exe	88
PID 3444 wrote to memory of 3896	3444	b63abacd4e2d5445b053abcd64a39ef9.exe	88
PID 3444 wrote to memory of 3896	3444	b63abacd4e2d5445b053abcd64a39ef9.exe	88

C:\Users\Admin\AppData\Local\Temp\b63abacd4e2d5445b053abcd64a39ef9.exe
"C:\Users\Admin\AppData\Local\Temp\b63abacd4e2d5445b053abcd64a39ef9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\b63abacd4e2d5445b053abcd64a39ef9.exe
  C:\Users\Admin\AppData\Local\Temp\b63abacd4e2d5445b053abcd64a39ef9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b63abacd4e2d5445b053abcd64a39ef9.exe

Filesize
385KB

MD5
4d37cbd06e9be8ef3072e970eb0af214

SHA1
2a4b03bd473ca06e1742962d7bc63a3f5fe9f6e9

SHA256
064ab9e3893f90c38ebf66a66dae067ebc7489d04970103d2c7fe3cfdf563bc9

SHA512
12ddc603a8a8c79c4b936efce0b5321e3aac820c742ce2f4d8dea9e9395970f450795384668c17aff6f8fd41fcacda2e58be869d9fe8bcf1c0511c22734cbdd8

Download Submit
memory/3444-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3444-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/3444-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3444-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3896-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3896-17-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/3896-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/3896-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3896-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3896-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3896-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download