8ec809f6eda1d718a5318eb7276be85831da72f8140d91fd76f75fd486d11d0f

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb5bf8d30cba79736005d6a792061f14.exe
Size

385KB
MD5

bb5bf8d30cba79736005d6a792061f14
SHA1

501157bd74763aae6cee4f24089257075c5fa3ea
SHA256

8ec809f6eda1d718a5318eb7276be85831da72f8140d91fd76f75fd486d11d0f
SHA512

d2a87495466ed62e793452135a33cac87534909b5985c80e2703939a73d49366e56b83948300b481d8b547726b61e8832930a77802ad3229436d48aa98af9312
SSDEEP

6144:JsflM5LRUfsaLumtLNokm+TeqzCkR3EE4LTIPmK6x7bH+qzmA+6w/B:JdtaXfLTeSOc4KqzX+6OB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2168	bb5bf8d30cba79736005d6a792061f14.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	bb5bf8d30cba79736005d6a792061f14.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com
18	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	bb5bf8d30cba79736005d6a792061f14.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4964	bb5bf8d30cba79736005d6a792061f14.exe
2168	bb5bf8d30cba79736005d6a792061f14.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2168	4964	bb5bf8d30cba79736005d6a792061f14.exe	89
PID 4964 wrote to memory of 2168	4964	bb5bf8d30cba79736005d6a792061f14.exe	89
PID 4964 wrote to memory of 2168	4964	bb5bf8d30cba79736005d6a792061f14.exe	89

C:\Users\Admin\AppData\Local\Temp\bb5bf8d30cba79736005d6a792061f14.exe
"C:\Users\Admin\AppData\Local\Temp\bb5bf8d30cba79736005d6a792061f14.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\bb5bf8d30cba79736005d6a792061f14.exe
  C:\Users\Admin\AppData\Local\Temp\bb5bf8d30cba79736005d6a792061f14.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bb5bf8d30cba79736005d6a792061f14.exe

Filesize
385KB

MD5
beb49e67cd95c2e4d16dd8cf70605825

SHA1
670559aac425166c7e42a2c38b9bfe507f066b2c

SHA256
bb542d545d1c96dc11ec0117ac17376df6ccb9dd544fc7b3a09e81ab4cb3ca15

SHA512
71553e0da2048f1b07990da2774acd357d187236f8065cd61399fdfeeabf1600ec73ab43df4a22673d7348d7c4489a33b4387b8c2899d5c73a782052afc0c614

Download Submit
memory/2168-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2168-15-0x0000000001640000-0x00000000016A6000-memory.dmp

Filesize
408KB

Download
memory/2168-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/2168-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2168-32-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/2168-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4964-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4964-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4964-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4964-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download