d26c40a466038fbdf578b2f84f6f85604e61852af72b76b563791f6566292e8d

Analysis

max time kernel
93s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bab8261e76c57d523b74bf29df4a4e0a.exe
Size

771KB
MD5

bab8261e76c57d523b74bf29df4a4e0a
SHA1

04185caa99e11abe68d67093e911d8ace0330369
SHA256

d26c40a466038fbdf578b2f84f6f85604e61852af72b76b563791f6566292e8d
SHA512

8d9201229ce909a3313048f2a3aeab229431e6f44586365ceaf2175d6f81eae563d7ef4b239a21e04d2ea73023a46c916e26e6ce8174461811ab1e9b03507ead
SSDEEP

12288:Z7f8VCnARUOkzWHRBvg23tFb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8BpH9PVB:ZT8owlEWHRB4crb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4748	bab8261e76c57d523b74bf29df4a4e0a.exe

Executes dropped EXE 1 IoCs

pid	Process
4748	bab8261e76c57d523b74bf29df4a4e0a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
19	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3484	bab8261e76c57d523b74bf29df4a4e0a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3484	bab8261e76c57d523b74bf29df4a4e0a.exe
4748	bab8261e76c57d523b74bf29df4a4e0a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4748	3484	bab8261e76c57d523b74bf29df4a4e0a.exe	89
PID 3484 wrote to memory of 4748	3484	bab8261e76c57d523b74bf29df4a4e0a.exe	89
PID 3484 wrote to memory of 4748	3484	bab8261e76c57d523b74bf29df4a4e0a.exe	89

C:\Users\Admin\AppData\Local\Temp\bab8261e76c57d523b74bf29df4a4e0a.exe
"C:\Users\Admin\AppData\Local\Temp\bab8261e76c57d523b74bf29df4a4e0a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\bab8261e76c57d523b74bf29df4a4e0a.exe
  C:\Users\Admin\AppData\Local\Temp\bab8261e76c57d523b74bf29df4a4e0a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bab8261e76c57d523b74bf29df4a4e0a.exe

Filesize
318KB

MD5
02b78867615c3d99532b8ba58532318b

SHA1
8c9239e540e3ea84223268c7bc68937815845caa

SHA256
64629c87f0b82ab13d5f1e1f51afdb3c72a1a4ff87fc3050008042a3375eb2cb

SHA512
6e8bf0669e685fa686dd9754fc6d1948d588cb1c474cc626766897db83cde7de8e4781a5abec4b8df4999b02f6a66c5421fa1959c0dfca6579c3ce08e64ee004

Download Submit
memory/3484-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3484-1-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/3484-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3484-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4748-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4748-16-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4748-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/4748-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4748-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4748-31-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/4748-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download