0efe7336e61c0e3fef4f3ec8987700b87444891809a23d714a7f17bf4496ed3f

Analysis

max time kernel
138s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c863e36cb0270c9cec1fea46ae6fe0bc.exe
Size

385KB
MD5

c863e36cb0270c9cec1fea46ae6fe0bc
SHA1

7f080700719a8bf56b250875c8153fdec9559d70
SHA256

0efe7336e61c0e3fef4f3ec8987700b87444891809a23d714a7f17bf4496ed3f
SHA512

20ef6e28519f55112c64457f1d119a3ce0d1e7ad4a72532d30c4625f6ef58f7ade26594e7d71de4d2f7dd2a1211f2a8c747fdf27d674829fa21c30340259a4bd
SSDEEP

12288:z3eGjWPefe67m2Fx7YtVDUjYml1Kwrc+FHn9rJB:z39Kefe67Fx74wUmltrZ9tB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4452	c863e36cb0270c9cec1fea46ae6fe0bc.exe

Executes dropped EXE 1 IoCs

pid	Process
4452	c863e36cb0270c9cec1fea46ae6fe0bc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4428	c863e36cb0270c9cec1fea46ae6fe0bc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4428	c863e36cb0270c9cec1fea46ae6fe0bc.exe
4452	c863e36cb0270c9cec1fea46ae6fe0bc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4452	4428	c863e36cb0270c9cec1fea46ae6fe0bc.exe	91
PID 4428 wrote to memory of 4452	4428	c863e36cb0270c9cec1fea46ae6fe0bc.exe	91
PID 4428 wrote to memory of 4452	4428	c863e36cb0270c9cec1fea46ae6fe0bc.exe	91

C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
"C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
  C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe

Filesize
385KB

MD5
39b16c0a976c90fd6e1cdad4a9f4d2c8

SHA1
1436107b66eb8060a784d302613f613f591b2f3a

SHA256
8fbb0e5fad129fb0efde059a39d0c6ad4d677aa5af47843f4fb6921ebe122a5e

SHA512
a8dc53f621e618393c501e34b2a3f6922c36583e71f4454a04a18a3280af5c268332b18c42578adb2e7c6db3f74003b5a8ed234f9d7e5974e34578b427381735

Download Submit
memory/4428-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4428-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4428-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4428-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4452-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4452-16-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/4452-21-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/4452-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4452-31-0x000000000B700000-0x000000000B73C000-memory.dmp

Filesize
240KB

Download
memory/4452-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download