008f6ebfaf206b207cfd1b82e76183e148d750684efa12a41320d19bf80f4a19

Analysis

max time kernel
88s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4bc76778aa14165d048727072cb17f3.exe
Size

385KB
MD5

d4bc76778aa14165d048727072cb17f3
SHA1

eccefdff3e33678ddf5a4868202256d2c01c3bbe
SHA256

008f6ebfaf206b207cfd1b82e76183e148d750684efa12a41320d19bf80f4a19
SHA512

de350d834eb4855ec1db9113ee5dae20735b35bbab08cb3b1b8ad91701c8db33b11d1f3909ec6436c2214bd6393e20cb3c27e735bce28367f5ebf91811ac8f42
SSDEEP

12288:X0KnVfTyE2J2Bgqlehqanwz21qCFpGkiSI4BVkoB:EKV7y1J2Cqlgq+z4CHZiysoB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4176	d4bc76778aa14165d048727072cb17f3.exe

Executes dropped EXE 1 IoCs

pid	Process
4176	d4bc76778aa14165d048727072cb17f3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
13	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4968	d4bc76778aa14165d048727072cb17f3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4968	d4bc76778aa14165d048727072cb17f3.exe
4176	d4bc76778aa14165d048727072cb17f3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4176	4968	d4bc76778aa14165d048727072cb17f3.exe	84
PID 4968 wrote to memory of 4176	4968	d4bc76778aa14165d048727072cb17f3.exe	84
PID 4968 wrote to memory of 4176	4968	d4bc76778aa14165d048727072cb17f3.exe	84

C:\Users\Admin\AppData\Local\Temp\d4bc76778aa14165d048727072cb17f3.exe
"C:\Users\Admin\AppData\Local\Temp\d4bc76778aa14165d048727072cb17f3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\d4bc76778aa14165d048727072cb17f3.exe
  C:\Users\Admin\AppData\Local\Temp\d4bc76778aa14165d048727072cb17f3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4bc76778aa14165d048727072cb17f3.exe

Filesize
385KB

MD5
3810d63b2a967b9eedd806e723d38566

SHA1
0e6afa174cffec2820c240ab0ecc8e443c21f41c

SHA256
8185f67dded6054b5b898eff5759e7c2a3bf387c0dd82a3a6c5cabf9ed3eebdf

SHA512
4a8dc2f11e5a2ee9fb15622157e83aa8ad622965a98cb2ce467dfa38c940d06557fe1167bdb14db5bb386c41d97f77b95e1c827c6c4a463c193f1e1d52c4c345

Download Submit
memory/4176-16-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/4176-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4176-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/4176-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4176-35-0x000000000B700000-0x000000000B73C000-memory.dmp

Filesize
240KB

Download
memory/4176-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4968-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4968-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4968-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4968-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download