97c50ca9c839db378af12d29e0ceee51f80031a068b3d94885787af4c4e9b5c0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b87e2cf2ea37f75c4c991f45068487a0.exe
Size

385KB
MD5

b87e2cf2ea37f75c4c991f45068487a0
SHA1

42f154c88dfe9a7de5d8272fa95845de73868da7
SHA256

97c50ca9c839db378af12d29e0ceee51f80031a068b3d94885787af4c4e9b5c0
SHA512

286e47c718e42deb2bcc7facbc904cbe9158f32eedb5e6e6aa46ab8b7b0999025faeba07905dbbcbce81be6af4ad567cd2fde56021aacf5f9aa2705fe68d4c16
SSDEEP

12288:9emFZ+DzmxwkKrDDMY/mh4CbWHDhqYofFzvB:9jF0DSxwJMY/mh4EyjAvB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4800	b87e2cf2ea37f75c4c991f45068487a0.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	b87e2cf2ea37f75c4c991f45068487a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2324	b87e2cf2ea37f75c4c991f45068487a0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2324	b87e2cf2ea37f75c4c991f45068487a0.exe
4800	b87e2cf2ea37f75c4c991f45068487a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4800	2324	b87e2cf2ea37f75c4c991f45068487a0.exe	88
PID 2324 wrote to memory of 4800	2324	b87e2cf2ea37f75c4c991f45068487a0.exe	88
PID 2324 wrote to memory of 4800	2324	b87e2cf2ea37f75c4c991f45068487a0.exe	88

C:\Users\Admin\AppData\Local\Temp\b87e2cf2ea37f75c4c991f45068487a0.exe
"C:\Users\Admin\AppData\Local\Temp\b87e2cf2ea37f75c4c991f45068487a0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\b87e2cf2ea37f75c4c991f45068487a0.exe
  C:\Users\Admin\AppData\Local\Temp\b87e2cf2ea37f75c4c991f45068487a0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b87e2cf2ea37f75c4c991f45068487a0.exe

Filesize
385KB

MD5
3667674b2b58b9722591a6fb035ebb98

SHA1
794546e8bd5e568d3fd5ae35633285cf6f983fc9

SHA256
29ed406b76e60c6f7b04c4f2f74a794e3e1b564179bae3e968ce77981e3f8103

SHA512
2c3e88d0308bacebac0c86f755a12f517029afc1261450832c0eac20c7de7c0634952b327ae0bb31ebcddf770ffe5b57c5b6fa8a2647bd29f649ffa5e526d246

Download Submit
memory/2324-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2324-1-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2324-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2324-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4800-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4800-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4800-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4800-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-34-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4800-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download