11110b49e161716c50adde110982142018ccdc69cbbbe2d9fd3b1582934d49c9

Analysis

max time kernel
90s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c16eb08f855513ae5a3f4c71434a4741.exe
Size

385KB
MD5

c16eb08f855513ae5a3f4c71434a4741
SHA1

31d10377c23107be7cb8735f5f5bef5cefa6f5c6
SHA256

11110b49e161716c50adde110982142018ccdc69cbbbe2d9fd3b1582934d49c9
SHA512

4d9ae6861a0377bb9581e32afc9057bc802b9cab6dca37d57a9d5513c01891b081b9a7b2dc88e0005ea73f39afbe3875a756ad3ebc3de33ffee99a65eb1b4577
SSDEEP

12288:S/H7LS0eDvabzdSf4zs1UWaSwZNzyYyqbUzmVjsB:2qiH8Qzs1WSeQYjbUAIB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3324	c16eb08f855513ae5a3f4c71434a4741.exe

Executes dropped EXE 1 IoCs

pid	Process
3324	c16eb08f855513ae5a3f4c71434a4741.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3372	c16eb08f855513ae5a3f4c71434a4741.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3372	c16eb08f855513ae5a3f4c71434a4741.exe
3324	c16eb08f855513ae5a3f4c71434a4741.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3324	3372	c16eb08f855513ae5a3f4c71434a4741.exe	84
PID 3372 wrote to memory of 3324	3372	c16eb08f855513ae5a3f4c71434a4741.exe	84
PID 3372 wrote to memory of 3324	3372	c16eb08f855513ae5a3f4c71434a4741.exe	84

C:\Users\Admin\AppData\Local\Temp\c16eb08f855513ae5a3f4c71434a4741.exe
"C:\Users\Admin\AppData\Local\Temp\c16eb08f855513ae5a3f4c71434a4741.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\c16eb08f855513ae5a3f4c71434a4741.exe
  C:\Users\Admin\AppData\Local\Temp\c16eb08f855513ae5a3f4c71434a4741.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c16eb08f855513ae5a3f4c71434a4741.exe

Filesize
385KB

MD5
ac3b113213a86ca2929560283c19b21c

SHA1
b1d1255218da9c55c497ae19eb5596e4bd253aaa

SHA256
f12647e62b7f59130da8bb6f720a4b28b9be518e48f6587df1fb03edf953ee39

SHA512
05a5d6390f14a90744818849d4d11e771f97bcd6ac9cd579c922019ef7b50dc53690c3c968af3a739c66f13e3568a9a89a19e12ce935ee9fdc23d9ff1939e143

Download Submit
memory/3324-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3324-17-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/3324-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-20-0x0000000004EE0000-0x0000000004F3F000-memory.dmp

Filesize
380KB

Download
memory/3324-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3324-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3324-35-0x000000000B610000-0x000000000B64C000-memory.dmp

Filesize
240KB

Download
memory/3372-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3372-1-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/3372-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3372-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download