abb8153d2000492cc39c5e105bc9fb373f7b87d49fff3c793141dc46dadef362

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2606145cf8be24a0384977092e75fe0.exe
Size

907KB
MD5

c2606145cf8be24a0384977092e75fe0
SHA1

a129a786310d2256ddde175ca27af39c2d87b525
SHA256

abb8153d2000492cc39c5e105bc9fb373f7b87d49fff3c793141dc46dadef362
SHA512

1df1b098a1fd294ee8949eea037ebb23ccde43f6b5c3546abeb8b49e9db2b00a995753e48a3806fa54293eca65e3ed5a125e38d62c84bca485485079885ba2b9
SSDEEP

24576:rB/NhfEhHQrSyrY/N6JBXCRn2r5z7Po5QJra/ZS1:rJNhOHO+zn2NAWgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1496	c2606145cf8be24a0384977092e75fe0.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	c2606145cf8be24a0384977092e75fe0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2660	c2606145cf8be24a0384977092e75fe0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2660	c2606145cf8be24a0384977092e75fe0.exe
1496	c2606145cf8be24a0384977092e75fe0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1496	2660	c2606145cf8be24a0384977092e75fe0.exe	92
PID 2660 wrote to memory of 1496	2660	c2606145cf8be24a0384977092e75fe0.exe	92
PID 2660 wrote to memory of 1496	2660	c2606145cf8be24a0384977092e75fe0.exe	92

C:\Users\Admin\AppData\Local\Temp\c2606145cf8be24a0384977092e75fe0.exe
"C:\Users\Admin\AppData\Local\Temp\c2606145cf8be24a0384977092e75fe0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\c2606145cf8be24a0384977092e75fe0.exe
  C:\Users\Admin\AppData\Local\Temp\c2606145cf8be24a0384977092e75fe0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c2606145cf8be24a0384977092e75fe0.exe

Filesize
907KB

MD5
5b91e4566d4382ed0e08ac747023305b

SHA1
19eabfaedff3ee438b324399f194a4de009dac79

SHA256
dc7bc0ccb8b391f8bdefbcc318746fe258cd42c8492480a4f654474ab99da8c2

SHA512
f82b1b34ac39f28c214503891e976af63dc90a858b6abb2a6d244e9563e10a1f614c65d6e2a8e0acb3826e96b86f63e6dbcc20e213af4fe0b7b7e8c4d48a6035

Download Submit
memory/1496-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1496-15-0x0000000001720000-0x0000000001808000-memory.dmp

Filesize
928KB

Download
memory/1496-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1496-22-0x00000000050D0000-0x000000000518B000-memory.dmp

Filesize
748KB

Download
memory/1496-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-35-0x000000000D860000-0x000000000D8F8000-memory.dmp

Filesize
608KB

Download
memory/2660-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2660-1-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/2660-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download