c1c0eb696a9a1c48fdd859214f5575f22a9087b9cc29dd1ebd2a529ea631abe5

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c679cf1e37daf0ad55ad7a6090f75041.exe
Size

385KB
MD5

c679cf1e37daf0ad55ad7a6090f75041
SHA1

b2aee1c29486709e8628afcb7ad76512ddea624d
SHA256

c1c0eb696a9a1c48fdd859214f5575f22a9087b9cc29dd1ebd2a529ea631abe5
SHA512

d15edd00653b81426ea4a49e4903fbd3aad0fe158fd6071a735578079e90dc638a22977e3eb5695f1155b5d345fb489446362401dd45f1c99d0d546ab34f7b99
SSDEEP

12288:v4DIMOYpQsORQyTq+3P5qRdKH2aQa/1gB:vgOYpoQyDRqmPgB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3588	c679cf1e37daf0ad55ad7a6090f75041.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	c679cf1e37daf0ad55ad7a6090f75041.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
17	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1860	c679cf1e37daf0ad55ad7a6090f75041.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1860	c679cf1e37daf0ad55ad7a6090f75041.exe
3588	c679cf1e37daf0ad55ad7a6090f75041.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3588	1860	c679cf1e37daf0ad55ad7a6090f75041.exe	88
PID 1860 wrote to memory of 3588	1860	c679cf1e37daf0ad55ad7a6090f75041.exe	88
PID 1860 wrote to memory of 3588	1860	c679cf1e37daf0ad55ad7a6090f75041.exe	88

C:\Users\Admin\AppData\Local\Temp\c679cf1e37daf0ad55ad7a6090f75041.exe
"C:\Users\Admin\AppData\Local\Temp\c679cf1e37daf0ad55ad7a6090f75041.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\c679cf1e37daf0ad55ad7a6090f75041.exe
  C:\Users\Admin\AppData\Local\Temp\c679cf1e37daf0ad55ad7a6090f75041.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c679cf1e37daf0ad55ad7a6090f75041.exe

Filesize
385KB

MD5
6be1f1b468d7246f36b1cb72a55f9d5a

SHA1
32e66d5e8259602a0fe4e919aea1c3d08a43f2a9

SHA256
a9163e4908659776aa101c14d8e504de7c8d634591b69fe16488d5f871d4a84e

SHA512
0ae18348219c2606ce7e85497c67861a36e355f7de5da7a388f4dabf3c5dff30e9a306c6d9f2bedd0e5749a9df2ded76f70a3b08af46e726d6799753eafc4bc7

Download Submit
memory/1860-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1860-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1860-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1860-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3588-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3588-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3588-21-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/3588-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3588-37-0x000000000B620000-0x000000000B65C000-memory.dmp

Filesize
240KB

Download
memory/3588-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download