44b64411ab9beca59c50ea1eceafa1670363e1645ac4fc16d836e5825f5c129b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 04:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7bf07ae7e7d625c1f8ab524d41170fe.exe
Size

1.5MB
MD5

c7bf07ae7e7d625c1f8ab524d41170fe
SHA1

7723575493b60c7de753de637475fc63a59e2e8a
SHA256

44b64411ab9beca59c50ea1eceafa1670363e1645ac4fc16d836e5825f5c129b
SHA512

98ecc032bc7d4456ba07f870684ad4df4aed2f564305b172353a567c773a961e248e1ac4d9540ff1948fef4167678f75b207c3d66348fc341fda7a7fd650ab67
SSDEEP

24576:+Dnl0VZQ0Gb10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FBBT:+Dl0VZQL/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2256	c7bf07ae7e7d625c1f8ab524d41170fe.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	c7bf07ae7e7d625c1f8ab524d41170fe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
10	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2196	c7bf07ae7e7d625c1f8ab524d41170fe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2196	c7bf07ae7e7d625c1f8ab524d41170fe.exe
2256	c7bf07ae7e7d625c1f8ab524d41170fe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2256	2196	c7bf07ae7e7d625c1f8ab524d41170fe.exe	88
PID 2196 wrote to memory of 2256	2196	c7bf07ae7e7d625c1f8ab524d41170fe.exe	88
PID 2196 wrote to memory of 2256	2196	c7bf07ae7e7d625c1f8ab524d41170fe.exe	88

C:\Users\Admin\AppData\Local\Temp\c7bf07ae7e7d625c1f8ab524d41170fe.exe
"C:\Users\Admin\AppData\Local\Temp\c7bf07ae7e7d625c1f8ab524d41170fe.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\c7bf07ae7e7d625c1f8ab524d41170fe.exe
  C:\Users\Admin\AppData\Local\Temp\c7bf07ae7e7d625c1f8ab524d41170fe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c7bf07ae7e7d625c1f8ab524d41170fe.exe

Filesize
1.2MB

MD5
ef89e33d283d5a877016c0be9b17fad5

SHA1
474dc61bb0da12dc08fb6adaaf7e33ac5cbfe023

SHA256
9144446e1a094d22ff702ae08770f6a4623074d1d5c435f60d8419077049cf1b

SHA512
723cad8d64448a536bd0dc9a6272901ba7b12f3c942f10b19e1a0876cc70a8eb1c09a6674ce4fd99516f3ef87aca139b63697ef0320e19c3aa8b706b922f1f79

Download Submit
memory/2196-1-0x0000000000170000-0x00000000001D6000-memory.dmp

Filesize
408KB

Download
memory/2196-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2196-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2196-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2256-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2256-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2256-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-22-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/2256-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2256-36-0x000000000C660000-0x000000000C69C000-memory.dmp

Filesize
240KB

Download
memory/2256-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download