aaf83ade0ba562370bce77e7b00ee001ad593279aeebe49bf8f53c575e55d2f3

Analysis

max time kernel
116s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c69f57d48b40ab2c6220b156382071f1.exe
Size

771KB
MD5

c69f57d48b40ab2c6220b156382071f1
SHA1

5256a7ded96a486cd192f57f6a4cd8dd813da2ea
SHA256

aaf83ade0ba562370bce77e7b00ee001ad593279aeebe49bf8f53c575e55d2f3
SHA512

d556fd6ebfbb3659650832ecc5f8532a6c4795c0f2932986bb052d1f5ff89bdc1a152d9cc87cb0e98789de13ad6d9e92657ee767603b9287e831c99e9a8510e7
SSDEEP

24576:V0tpGQqm0trrCjnT5X7PyEBz24PkJtE1VPB:HrK5XLyWTkJy1VZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	c69f57d48b40ab2c6220b156382071f1.exe

Executes dropped EXE 1 IoCs

pid	Process
2636	c69f57d48b40ab2c6220b156382071f1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
15	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3300	c69f57d48b40ab2c6220b156382071f1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3300	c69f57d48b40ab2c6220b156382071f1.exe
2636	c69f57d48b40ab2c6220b156382071f1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2636	3300	c69f57d48b40ab2c6220b156382071f1.exe	85
PID 3300 wrote to memory of 2636	3300	c69f57d48b40ab2c6220b156382071f1.exe	85
PID 3300 wrote to memory of 2636	3300	c69f57d48b40ab2c6220b156382071f1.exe	85

C:\Users\Admin\AppData\Local\Temp\c69f57d48b40ab2c6220b156382071f1.exe
"C:\Users\Admin\AppData\Local\Temp\c69f57d48b40ab2c6220b156382071f1.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\c69f57d48b40ab2c6220b156382071f1.exe
  C:\Users\Admin\AppData\Local\Temp\c69f57d48b40ab2c6220b156382071f1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c69f57d48b40ab2c6220b156382071f1.exe

Filesize
771KB

MD5
6bb3a2fe4e7ed5309639fdc913ebb5e8

SHA1
1b581d50ae6149bb945be07e55874cb05fd86608

SHA256
b52198fc723022e5224fa2ca404228426d988f94e0a90d7bf72cec5acf3ccd17

SHA512
9b0fc97198700072a5b966759c6ad859652d4f05b9ca726ae49a4a457ac4ca04bccc8ae53c68a2970611f03baef5047993ac5d6aa1ac9bfe54e8c08d1dffd9f0

Download Submit
memory/2636-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2636-17-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/2636-20-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/2636-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2636-35-0x000000000C640000-0x000000000C67C000-memory.dmp

Filesize
240KB

Download
memory/2636-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3300-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3300-1-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/3300-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3300-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download