82d704a625dab13592c38fda920c75bb9c99c3ff37bfabbac06358ef57c059c0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4f50b269f9adcc1f2283ceef81bb736.exe
Size

771KB
MD5

d4f50b269f9adcc1f2283ceef81bb736
SHA1

8a067e4fab24a3826863d3487618d48ec3e59a6b
SHA256

82d704a625dab13592c38fda920c75bb9c99c3ff37bfabbac06358ef57c059c0
SHA512

cae880f46619fe8660449ffadaa07bf21e2253e38f3485f516edb3a1220ee75cba5eb4dde37d9c40a5370aac61e446ba48959d17b53e183eaa80d307bc5b6799
SSDEEP

12288:5iPUg0CbBiwElUeY+JokUHnB6JOQ1pb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRgeG:fCbBvdCIH21pb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3828	d4f50b269f9adcc1f2283ceef81bb736.exe

Executes dropped EXE 1 IoCs

pid	Process
3828	d4f50b269f9adcc1f2283ceef81bb736.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4192	d4f50b269f9adcc1f2283ceef81bb736.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4192	d4f50b269f9adcc1f2283ceef81bb736.exe
3828	d4f50b269f9adcc1f2283ceef81bb736.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3828	4192	d4f50b269f9adcc1f2283ceef81bb736.exe	89
PID 4192 wrote to memory of 3828	4192	d4f50b269f9adcc1f2283ceef81bb736.exe	89
PID 4192 wrote to memory of 3828	4192	d4f50b269f9adcc1f2283ceef81bb736.exe	89

C:\Users\Admin\AppData\Local\Temp\d4f50b269f9adcc1f2283ceef81bb736.exe
"C:\Users\Admin\AppData\Local\Temp\d4f50b269f9adcc1f2283ceef81bb736.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\d4f50b269f9adcc1f2283ceef81bb736.exe
  C:\Users\Admin\AppData\Local\Temp\d4f50b269f9adcc1f2283ceef81bb736.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4f50b269f9adcc1f2283ceef81bb736.exe

Filesize
771KB

MD5
55cff75f92cbeb72dd93a1070869909b

SHA1
4e9db495f7195d6f551bda2d0fec496d73078aaf

SHA256
c6480d58b5699a029618003af4a3e5c9bd235b0111f7eede5c567b89e557752c

SHA512
8802d83b515667bcc23d6fa613acb1bb7d2cb48b9a3f2352c13c9f2d089ed181cda69ba0eb79fe6ce56ced32bdd02cfd89cd90332921dc109d7e889023460834

Download Submit
memory/3828-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3828-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3828-16-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/3828-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/3828-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3828-36-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/3828-37-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/4192-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4192-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4192-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/4192-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download