95f1acacb1b354c7c65174a8c861fb247cbe3fba7d206e47a2b6b49d0ae17ead

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a575dd1aae2cfe1bd3d27c28617949.exe
Size

385KB
MD5

d4a575dd1aae2cfe1bd3d27c28617949
SHA1

85ecde33b73555f2b784e1c4a562ae5b35b706e4
SHA256

95f1acacb1b354c7c65174a8c861fb247cbe3fba7d206e47a2b6b49d0ae17ead
SHA512

ce4d1ebe8864098898f6bd37a6b32eecf58ec9d66cf4c6cf07da4374e36080b483c205fcef0fcf5cbaa769c1aadaaae992f9b496f6fd841402ec216a32ebecef
SSDEEP

6144:gy++FfJIiJTEdpluhfjGP2plBAYh3FWema+jBGW/iBQjm5sZPFfB:JhTqploj/xA23FxUNGOiBH6bB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3944	d4a575dd1aae2cfe1bd3d27c28617949.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	d4a575dd1aae2cfe1bd3d27c28617949.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
21	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1884	d4a575dd1aae2cfe1bd3d27c28617949.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1884	d4a575dd1aae2cfe1bd3d27c28617949.exe
3944	d4a575dd1aae2cfe1bd3d27c28617949.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3944	1884	d4a575dd1aae2cfe1bd3d27c28617949.exe	89
PID 1884 wrote to memory of 3944	1884	d4a575dd1aae2cfe1bd3d27c28617949.exe	89
PID 1884 wrote to memory of 3944	1884	d4a575dd1aae2cfe1bd3d27c28617949.exe	89

C:\Users\Admin\AppData\Local\Temp\d4a575dd1aae2cfe1bd3d27c28617949.exe
"C:\Users\Admin\AppData\Local\Temp\d4a575dd1aae2cfe1bd3d27c28617949.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\d4a575dd1aae2cfe1bd3d27c28617949.exe
  C:\Users\Admin\AppData\Local\Temp\d4a575dd1aae2cfe1bd3d27c28617949.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4a575dd1aae2cfe1bd3d27c28617949.exe

Filesize
385KB

MD5
fdd3f0f3aa4872995a1d14adebe33bce

SHA1
10a59e5710ce20b5f1708eaedb35276be9bd9a71

SHA256
f0fcea3f498ed9b852e59a52e7c0c7c490c9b6963f20c808a3a4e8ac94855ff5

SHA512
2d3492e2eea8dae572f6cdc5ae61392c3085d9e892412080450c4cb46b2153dd758b8bec2ada84c9dfe757c5ed5ba89eb7974801dd590d11d4aa97bbb7150808

Download Submit
memory/1884-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1884-1-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/1884-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1884-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3944-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-17-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/3944-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

Filesize
380KB

Download
memory/3944-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3944-35-0x000000000C630000-0x000000000C66C000-memory.dmp

Filesize
240KB

Download
memory/3944-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download