cbb09d5e266fd8570f4c76b117805f233bd0cee7b69a83d22b5055769d1563d5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8c0b246e027879c97cb0438d135ce1.exe
Size

385KB
MD5

ba8c0b246e027879c97cb0438d135ce1
SHA1

0fefbae896acf90d7b5dba46ad62c937d1a842c8
SHA256

cbb09d5e266fd8570f4c76b117805f233bd0cee7b69a83d22b5055769d1563d5
SHA512

15432657c67ad9b10bad4c6e2ee8c59c9f4cd937e27235105d9efb9fc0813eb7e1a7117db423ea6fbe72145f7d38f591d48f979d9c271f5bb37eb2cee8cba90a
SSDEEP

6144:l1GR2hBDZcsJXIP6neAcXVxE6PJvNLNKNJTjwL8kubAVvT/OFSQRmdIihUkE4B:l1GR2rZcsJXI4s0W0e8Zbw/nO8B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4992	ba8c0b246e027879c97cb0438d135ce1.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	ba8c0b246e027879c97cb0438d135ce1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5044	ba8c0b246e027879c97cb0438d135ce1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5044	ba8c0b246e027879c97cb0438d135ce1.exe
4992	ba8c0b246e027879c97cb0438d135ce1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4992	5044	ba8c0b246e027879c97cb0438d135ce1.exe	87
PID 5044 wrote to memory of 4992	5044	ba8c0b246e027879c97cb0438d135ce1.exe	87
PID 5044 wrote to memory of 4992	5044	ba8c0b246e027879c97cb0438d135ce1.exe	87

C:\Users\Admin\AppData\Local\Temp\ba8c0b246e027879c97cb0438d135ce1.exe
"C:\Users\Admin\AppData\Local\Temp\ba8c0b246e027879c97cb0438d135ce1.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\ba8c0b246e027879c97cb0438d135ce1.exe
  C:\Users\Admin\AppData\Local\Temp\ba8c0b246e027879c97cb0438d135ce1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba8c0b246e027879c97cb0438d135ce1.exe

Filesize
385KB

MD5
993d095737b9b995cb0dc40b3adc0c39

SHA1
8b464467a247962786a93d367d4bad6d5c8e48dc

SHA256
51f8f4160f9d935d4bd0ff6c798d33cac4959d9e02eb7f478de039ba902f08ec

SHA512
0175448bd30e0f8b776713dd9497d9aa309854e8155f55f176dc7a65e9e6b303e17ddfe025e25281df17edbe8b115a273c25d71c980b89763243d00ec07406f1

Download Submit
memory/4992-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4992-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4992-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4992-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-22-0x0000000002770000-0x00000000027CF000-memory.dmp

Filesize
380KB

Download
memory/4992-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4992-36-0x000000000C740000-0x000000000C77C000-memory.dmp

Filesize
240KB

Download
memory/4992-37-0x000000000C740000-0x000000000C77C000-memory.dmp

Filesize
240KB

Download
memory/5044-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5044-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5044-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/5044-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download