6c6584bc84e6d9aa95a6caba991ce086e07a35f5c885598d907501f7dee9eb91

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79292195039202bf56f39b462f5b017.exe
Size

385KB
MD5

c79292195039202bf56f39b462f5b017
SHA1

daef4e0a17a7bca2125be42cc7e7b9f403391086
SHA256

6c6584bc84e6d9aa95a6caba991ce086e07a35f5c885598d907501f7dee9eb91
SHA512

2d62b52e0759af99ef2789020ba908bae97796707c10b37e2c8fdfdf620cd036c96b2a1f01f590fffee3dc71bd34f6201d97ec6259ee322db1f922c150768853
SSDEEP

6144:U1OR32NJg3B2w/4+xbeoaMy6KohtoWynJMylGtWcwiCH8CfUajLIEB:U1xNJg3BJ/4odDJboWyJJUelsEB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4888	c79292195039202bf56f39b462f5b017.exe

Executes dropped EXE 1 IoCs

pid	Process
4888	c79292195039202bf56f39b462f5b017.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1112	c79292195039202bf56f39b462f5b017.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1112	c79292195039202bf56f39b462f5b017.exe
4888	c79292195039202bf56f39b462f5b017.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4888	1112	c79292195039202bf56f39b462f5b017.exe	91
PID 1112 wrote to memory of 4888	1112	c79292195039202bf56f39b462f5b017.exe	91
PID 1112 wrote to memory of 4888	1112	c79292195039202bf56f39b462f5b017.exe	91

C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe
"C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe
  C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe

Filesize
385KB

MD5
a1b7b4682efc92f813caa2c7bfad4736

SHA1
b905c8ebd4fa6522cc165328fc721df10ca58a9b

SHA256
e69b17f4825c9df0af83ffd2228642b36660f5cff8e93a0424ac1825033a6be7

SHA512
aed84067bbb4e5371166af82ed553fed08a692bed7d10cc0fa645b8819f1ccdb958429b9f1b988dd5f6d1b23b48068ced1aa6a6a3bd1e6471cc83dcfb9d9719a

Download Submit
memory/1112-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1112-1-0x00000000015E0000-0x0000000001646000-memory.dmp

Filesize
408KB

Download
memory/1112-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1112-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4888-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4888-15-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4888-20-0x0000000001670000-0x00000000016CF000-memory.dmp

Filesize
380KB

Download
memory/4888-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4888-35-0x000000000B610000-0x000000000B64C000-memory.dmp

Filesize
240KB

Download
memory/4888-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download