e9158e8f12f9e75dcfb78474196cc9eee11702e562c07c1ebea1b1cfadea057c

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba58ea6b373dd0bc59026912d4b45209.exe
Size

385KB
MD5

ba58ea6b373dd0bc59026912d4b45209
SHA1

6e7428beb862138e6f02490e82b3ab4439fa46aa
SHA256

e9158e8f12f9e75dcfb78474196cc9eee11702e562c07c1ebea1b1cfadea057c
SHA512

34e59601a3312fc730195434469620fc9359e773de3176f6cf471d3b4468ca29a1472458df493fddb6abb8d57c15b84c2b6d3ed6cd429816496b6269f5908da8
SSDEEP

12288:Zyx/ltGltkfWSSAFtXDpsN/5GGsbk7zSVEwE0WGNbms02fnHM4zmzptXtd0kZwHq:gx/ltGlt2W8FtXDpsN/5psqzIEwE05Fi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1776	ba58ea6b373dd0bc59026912d4b45209.exe

Executes dropped EXE 1 IoCs

pid	Process
1776	ba58ea6b373dd0bc59026912d4b45209.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2260	ba58ea6b373dd0bc59026912d4b45209.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2260	ba58ea6b373dd0bc59026912d4b45209.exe
1776	ba58ea6b373dd0bc59026912d4b45209.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1776	2260	ba58ea6b373dd0bc59026912d4b45209.exe	87
PID 2260 wrote to memory of 1776	2260	ba58ea6b373dd0bc59026912d4b45209.exe	87
PID 2260 wrote to memory of 1776	2260	ba58ea6b373dd0bc59026912d4b45209.exe	87

C:\Users\Admin\AppData\Local\Temp\ba58ea6b373dd0bc59026912d4b45209.exe
"C:\Users\Admin\AppData\Local\Temp\ba58ea6b373dd0bc59026912d4b45209.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\ba58ea6b373dd0bc59026912d4b45209.exe
  C:\Users\Admin\AppData\Local\Temp\ba58ea6b373dd0bc59026912d4b45209.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba58ea6b373dd0bc59026912d4b45209.exe

Filesize
385KB

MD5
ede7ffbbf3e5e9c096ca6c897980548f

SHA1
b66d66a02c9e5a5f5e1982e28213e75e4a9cd912

SHA256
f3a64898b236b01ebf70bdc2471958ac21720e7f55ad6fa30b54a44c3a9f9d3e

SHA512
122d585ea2cb7ed0096f9fc0499366ec1dde3aab4c0ed12313331a18c96cf9031aa117ee4e5819da78792e5adb6038d9f7b54d91ae0f9af525e4bfdd73d65b8a

Download Submit
memory/1776-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1776-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1776-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/1776-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1776-31-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1776-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2260-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2260-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2260-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2260-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download