45001469f7f6ae681eb6627f55f85d8bc61246f8320df8600b884fe2f3e41be6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5cdbd89ff6d1620095878aa8f2628ef.exe
Size

385KB
MD5

d5cdbd89ff6d1620095878aa8f2628ef
SHA1

5872ec422909b9a4f3e9d8ba953e37cf1faf2322
SHA256

45001469f7f6ae681eb6627f55f85d8bc61246f8320df8600b884fe2f3e41be6
SHA512

fa6c5675260b0aab993bbadcba588e6e1fb55734a0ea20ecf429897483a9a985789821060a093eda7cc95c80dc4a77717e0fd396656a02dc727d6ee7cb21d6f4
SSDEEP

6144:kuwMBCCOIgY1zlPFEZy9TpAjXNW/ubVGE1Oz7BO8cd3Mi3lPyB:kucYh3EGVAUUVGLz1cd3Mi3oB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1884	d5cdbd89ff6d1620095878aa8f2628ef.exe

Executes dropped EXE 1 IoCs

pid	Process
1884	d5cdbd89ff6d1620095878aa8f2628ef.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com
22	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
720	d5cdbd89ff6d1620095878aa8f2628ef.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
720	d5cdbd89ff6d1620095878aa8f2628ef.exe
1884	d5cdbd89ff6d1620095878aa8f2628ef.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 1884	720	d5cdbd89ff6d1620095878aa8f2628ef.exe	88
PID 720 wrote to memory of 1884	720	d5cdbd89ff6d1620095878aa8f2628ef.exe	88
PID 720 wrote to memory of 1884	720	d5cdbd89ff6d1620095878aa8f2628ef.exe	88

C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe
"C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:720
- C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe
  C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe

Filesize
385KB

MD5
72976f5c8e017cc819f51ca093ee9390

SHA1
fbf3dd09ff27a2f63e58579ea84d8fa8d73f1c25

SHA256
657cc1c3534231e53c245e4b3255f41b8c7cf1201a3bb2085f5322cff82cf387

SHA512
db127e42646cce474118179a74f08972fce100b775e5eb944cfdc0e551adc430121210e4bf83fddadfb04972ccbe1b3790e8ca83ed2f05bddfb1145285dd205a

Download Submit
memory/720-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/720-1-0x00000000015A0000-0x0000000001606000-memory.dmp

Filesize
408KB

Download
memory/720-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/720-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1884-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1884-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1884-22-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1884-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1884-35-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1884-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download