3c6f3e4f3fabd10a6af0e71a431e1e892b88a9ade7f5dd6615e27a4408205e37

Analysis

max time kernel
89s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c45b5a5a42165406f19df16ed697cefe.exe
Size

907KB
MD5

c45b5a5a42165406f19df16ed697cefe
SHA1

a9d1b25da853514c8f1eedfd55cbc9a56546465a
SHA256

3c6f3e4f3fabd10a6af0e71a431e1e892b88a9ade7f5dd6615e27a4408205e37
SHA512

5def19a91052bc3fee3637b84a378e76e8ed92e921cdb3ff42a2a7d34c06e5a6242abc8805d071fc088c5b8c78ce0a04d4c96242210886fcc91863b30db7bbdd
SSDEEP

24576:faa7Jf5G285M6wv7AjQ9Ph/79uJjvbZja/ZS1:dRS5M6wv7S6PhIlBgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5012	c45b5a5a42165406f19df16ed697cefe.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	c45b5a5a42165406f19df16ed697cefe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
10	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1228	c45b5a5a42165406f19df16ed697cefe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1228	c45b5a5a42165406f19df16ed697cefe.exe
5012	c45b5a5a42165406f19df16ed697cefe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 5012	1228	c45b5a5a42165406f19df16ed697cefe.exe	86
PID 1228 wrote to memory of 5012	1228	c45b5a5a42165406f19df16ed697cefe.exe	86
PID 1228 wrote to memory of 5012	1228	c45b5a5a42165406f19df16ed697cefe.exe	86

C:\Users\Admin\AppData\Local\Temp\c45b5a5a42165406f19df16ed697cefe.exe
"C:\Users\Admin\AppData\Local\Temp\c45b5a5a42165406f19df16ed697cefe.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\c45b5a5a42165406f19df16ed697cefe.exe
  C:\Users\Admin\AppData\Local\Temp\c45b5a5a42165406f19df16ed697cefe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c45b5a5a42165406f19df16ed697cefe.exe

Filesize
384KB

MD5
208403543c56cba5fe6c01697a9ca238

SHA1
584214caa67b4312a56bacf314036cd7773d227f

SHA256
e134f9598fda8e2db806ddc8a3b9be29d30775b3a9b8cbc5d49a5a348418e7fb

SHA512
723209ae350541be14a2f34b8c5721746b41bd716f951c64c1e9b49b9342381fa099dc53dce9f4b0bbc8920f1f5c5b54e2fc9aa6c3bbaedc3e5f5567527f89ff

Download Submit
memory/1228-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1228-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1228-1-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/1228-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5012-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5012-14-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/5012-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/5012-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5012-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-32-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download