aeeddf379c019468a7a6f6ce0c8e3ba68d82030206fd87935b56aa6bf214ddaf

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54a2ba117db5bb16c0f58f28a5351a9.exe
Size

385KB
MD5

c54a2ba117db5bb16c0f58f28a5351a9
SHA1

949c3ec60e47d6177cbd5dcca878dbbe52818e52
SHA256

aeeddf379c019468a7a6f6ce0c8e3ba68d82030206fd87935b56aa6bf214ddaf
SHA512

360d159733ec0c9b4fefb0dd9d353b159906a36b7fa7da6441ea1eda6041f7ea6fbb0f8ba2d922fef36ea3f465f655fb7297aff43ef8d05259ff3237a05c3352
SSDEEP

12288:bBVMJzFiSnDe26fmebwV0pdKXai2FGOwB:dkFike2LYwVk03pB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4356	c54a2ba117db5bb16c0f58f28a5351a9.exe

Executes dropped EXE 1 IoCs

pid	Process
4356	c54a2ba117db5bb16c0f58f28a5351a9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2936	c54a2ba117db5bb16c0f58f28a5351a9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2936	c54a2ba117db5bb16c0f58f28a5351a9.exe
4356	c54a2ba117db5bb16c0f58f28a5351a9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4356	2936	c54a2ba117db5bb16c0f58f28a5351a9.exe	84
PID 2936 wrote to memory of 4356	2936	c54a2ba117db5bb16c0f58f28a5351a9.exe	84
PID 2936 wrote to memory of 4356	2936	c54a2ba117db5bb16c0f58f28a5351a9.exe	84

C:\Users\Admin\AppData\Local\Temp\c54a2ba117db5bb16c0f58f28a5351a9.exe
"C:\Users\Admin\AppData\Local\Temp\c54a2ba117db5bb16c0f58f28a5351a9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\c54a2ba117db5bb16c0f58f28a5351a9.exe
  C:\Users\Admin\AppData\Local\Temp\c54a2ba117db5bb16c0f58f28a5351a9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c54a2ba117db5bb16c0f58f28a5351a9.exe

Filesize
385KB

MD5
4234ff7c7cb30b6439b40f0e5fb9447d

SHA1
636823a1d5f0de22c14022ede6a4b8ad1099845e

SHA256
4e2c994c173577ea644f5d59dbe5e5412e2e36467470c7361a800552f7945133

SHA512
53044c837a380904ddf0468661bb886afa57b29de533342a4151208ec17283e6ceef96f9fe13a224f9bfdd1eaa511e6d8b6e16792104fe5cea2c56335100d0f5

Download Submit
memory/2936-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2936-1-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2936-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2936-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4356-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4356-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4356-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/4356-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4356-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4356-36-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4356-37-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download